CVE-2026-53196
Received Received - Intake
Heap Overflow in Linux Kernel USB Serial Driver

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: USB: serial: io_ti: fix heap overflow in get_manuf_info() get_manuf_info() reads le16_to_cpu(rom_desc->Size) bytes from the device I2C EEPROM into a buffer allocated with kmalloc_obj(), which is sizeof(struct edge_ti_manuf_descriptor) = 10 bytes. The Size field comes from the device and is only validated (in check_i2c_image()) to make sure the descriptor fits within TI_MAX_I2C_SIZE (16384 bytes), not against the destination buffer size. A malicious USB device can therefore set Size to any value up to 16377, causing a heap overflow of up to 16367 bytes when plugged into a host running this driver. valid_csum() is called after read_rom() and also iterates buffer[0..Size-1], compounding the out-of-bounds access. Fix by rejecting descriptors with unexpected length before calling read_rom(). [ johan: amend commit message; also check for short descriptors ]
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53196
EUVD
EUVD-2026-39287
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's USB serial driver for Texas Instruments devices (io_ti). The function get_manuf_info() reads data from a device's I2C EEPROM into a buffer that is only 10 bytes in size. However, the size of the data to be read is controlled by a field called Size, which comes from the device itself and can be as large as 16377 bytes. Because the code only checks that Size is less than a maximum limit (16384 bytes) but does not verify it against the actual buffer size, a malicious USB device can cause a heap overflow by specifying a large Size value. This overflow can be up to 16367 bytes, potentially overwriting memory beyond the allocated buffer.

Additionally, another function, valid_csum(), iterates over the buffer using the same unchecked Size value, which compounds the out-of-bounds memory access. The vulnerability was fixed by adding validation to reject descriptors with unexpected lengths before reading the data.

Impact Analysis

This vulnerability can allow a malicious USB device to cause a heap overflow in the Linux kernel when plugged into a host system. Such a heap overflow can lead to memory corruption, which attackers might exploit to execute arbitrary code with kernel privileges, cause system crashes, or escalate their privileges on the affected system.

Mitigation Strategies

To mitigate this vulnerability, ensure that your Linux kernel is updated to a version where the fix for the heap overflow in the io_ti USB serial driver has been applied.

The fix involves rejecting descriptors with unexpected length before reading from the device EEPROM, preventing heap overflow caused by malicious USB devices.

As an immediate step, avoid connecting untrusted or unknown USB devices that use the affected driver until the kernel is patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53196. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart