Bug 2492750 (CVE-2026-53196) - CVE-2026-53196 kernel: USB: serial: io_ti: fix heap overflow in get_manuf_info()
Summary: CVE-2026-53196 kernel: USB: serial: io_ti: fix heap overflow in get_manuf_info()
Keywords:
Status: NEW
Alias: CVE-2026-53196
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-25 10:03 UTC by OSIDB Bzimport
Modified: 2026-06-25 23:02 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-25 10:03:47 UTC 
In the Linux kernel, the following vulnerability has been resolved:

USB: serial: io_ti: fix heap overflow in get_manuf_info()

get_manuf_info() reads le16_to_cpu(rom_desc->Size) bytes from the
device I2C EEPROM into a buffer allocated with kmalloc_obj(), which
is sizeof(struct edge_ti_manuf_descriptor) = 10 bytes.

The Size field comes from the device and is only validated (in
check_i2c_image()) to make sure the descriptor fits within
TI_MAX_I2C_SIZE (16384 bytes), not against the destination buffer size.
A malicious USB device can therefore set Size to any value up to 16377,
causing a heap overflow of up to 16367 bytes when plugged into a host
running this driver.

valid_csum() is called after read_rom() and also iterates
buffer[0..Size-1], compounding the out-of-bounds access.

Fix by rejecting descriptors with unexpected length before calling
read_rom().

[ johan: amend commit message; also check for short descriptors ]
Comment 1 Keith Grant 2026-06-25 23:01:31 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026062559-CVE-2026-53196-bcc6@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.