CVE-2026-53196
Analyzed Analyzed - Analysis Complete

Heap Overflow in Linux Kernel USB Serial Driver

Vulnerability report for CVE-2026-53196, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-07-15

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: USB: serial: io_ti: fix heap overflow in get_manuf_info() get_manuf_info() reads le16_to_cpu(rom_desc->Size) bytes from the device I2C EEPROM into a buffer allocated with kmalloc_obj(), which is sizeof(struct edge_ti_manuf_descriptor) = 10 bytes. The Size field comes from the device and is only validated (in check_i2c_image()) to make sure the descriptor fits within TI_MAX_I2C_SIZE (16384 bytes), not against the destination buffer size. A malicious USB device can therefore set Size to any value up to 16377, causing a heap overflow of up to 16367 bytes when plugged into a host running this driver. valid_csum() is called after read_rom() and also iterates buffer[0..Size-1], compounding the out-of-bounds access. Fix by rejecting descriptors with unexpected length before calling read_rom(). [ johan: amend commit message; also check for short descriptors ]

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-07-15
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-14
NVD
EUVD

Affected Vendors & Products

Showing 19 associated CPEs
Vendor Product Version / Range
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 5.16 (inc) to 6.1.176 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.143 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.210 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.36 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.94 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.13 (exc)
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 2.6.12.1 (inc) to 5.10.259 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

This vulnerability involves a heap overflow in the Linux kernel's USB serial driver (io_ti) when reading manufacturer information from a USB device's I2C EEPROM. Detection involves identifying if the system is running a vulnerable version of the Linux kernel with the io_ti driver.

Since the vulnerability is triggered by plugging in a malicious USB device, monitoring USB device connections and checking kernel logs for unusual errors related to the io_ti driver can help detect exploitation attempts.

Suggested commands to help detect or investigate this vulnerability include:

  • Check the kernel version to determine if it includes the fix: `uname -r`
  • List loaded USB serial drivers and check for io_ti: `lsmod | grep io_ti`
  • Monitor kernel logs for errors related to USB serial devices: `dmesg | grep -i usb` or `journalctl -k | grep io_ti`
  • Use `lsusb` to list connected USB devices and identify suspicious or unknown devices.

Note that there are no specific detection commands or signatures provided in the available information.

Executive Summary

This vulnerability exists in the Linux kernel's USB serial driver for Texas Instruments devices (io_ti). The function get_manuf_info() reads data from a device's I2C EEPROM into a buffer that is only 10 bytes in size. However, the size of the data to be read is controlled by a field called Size, which comes from the device itself and can be as large as 16377 bytes. Because the code only checks that Size is less than a maximum limit (16384 bytes) but does not verify it against the actual buffer size, a malicious USB device can cause a heap overflow by specifying a large Size value. This overflow can be up to 16367 bytes, potentially overwriting memory beyond the allocated buffer.

Additionally, another function, valid_csum(), iterates over the buffer using the same unchecked Size value, which compounds the out-of-bounds memory access. The vulnerability was fixed by adding validation to reject descriptors with unexpected lengths before reading the data.

Impact Analysis

This vulnerability can allow a malicious USB device to cause a heap overflow in the Linux kernel when plugged into a host system. Such a heap overflow can lead to memory corruption, which attackers might exploit to execute arbitrary code with kernel privileges, cause system crashes, or escalate their privileges on the affected system.

Mitigation Strategies

To mitigate this vulnerability, ensure that your Linux kernel is updated to a version where the fix for the heap overflow in the io_ti USB serial driver has been applied.

The fix involves rejecting descriptors with unexpected length before reading from the device EEPROM, preventing heap overflow caused by malicious USB devices.

As an immediate step, avoid connecting untrusted or unknown USB devices that use the affected driver until the kernel is patched.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53196. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart