USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr()

Summary

CVE	CVE-2026-53195
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-06-25 09:16:36 UTC
Updated	2026-06-25 09:16:36 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr() build_i2c_fw_hdr() allocates a fixed-size buffer of (16*1024 - 512) + sizeof(struct ti_i2c_firmware_rec) bytes, then copies le16_to_cpu(img_header->Length) bytes into it without validating that Length fits within the available space after the firmware record header. img_header->Length is a __le16 from the firmware file and can be up to 65535. check_fw_sanity() validates the total firmware size but not img_header->Length specifically. Fix by rejecting images where img_header->Length exceeds the available destination space.

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 3e187152f44d76d7633a3855ffd0099e1588b82a git	Not specified
CNA	Linux	Linux	affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 b7faf660eefa2047ebc2959ff76da2b6eae2e9e3 git	Not specified
CNA	Linux	Linux	affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 2fd64bf0ad66ab5de0c73524591d879427ba5aba git	Not specified
CNA	Linux	Linux	affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 4cb722747ed25971f35cc47ce5c0e79d7f717713 git	Not specified
CNA	Linux	Linux	affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 130d6567eb148040eed1b73e1414ad6c27d22bd5 git	Not specified
CNA	Linux	Linux	affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 294692d3296eee3391c348d7ea6401916d27806c git	Not specified
CNA	Linux	Linux	affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 5a79b634ee58786ca627268daefa7744f2af2e14 git	Not specified
CNA	Linux	Linux	affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 0fd2b00b2d3d05e3eaa13342b3dfb0fa85c226ae git	Not specified
CNA	Linux	Linux	affected 2.6.12	Not specified
CNA	Linux	Linux	unaffected 2.6.12 semver	Not specified
CNA	Linux	Linux	unaffected 5.10.259 5.10.* semver	Not specified
CNA	Linux	Linux	unaffected 5.15.210 5.15.* semver	Not specified
CNA	Linux	Linux	unaffected 6.1.176 6.1.* semver	Not specified
CNA	Linux	Linux	unaffected 6.6.143 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.94 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.36 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0.13 7.0.* semver	Not specified
CNA	Linux	Linux	unaffected 7.1 * original_commit_for_fix	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/4cb722747ed25971f35cc47ce5c0e79d7f717713	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/2fd64bf0ad66ab5de0c73524591d879427ba5aba	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/5a79b634ee58786ca627268daefa7744f2af2e14	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/0fd2b00b2d3d05e3eaa13342b3dfb0fa85c226ae	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/b7faf660eefa2047ebc2959ff76da2b6eae2e9e3	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/130d6567eb148040eed1b73e1414ad6c27d22bd5	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/3e187152f44d76d7633a3855ffd0099e1588b82a	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/294692d3296eee3391c348d7ea6401916d27806c	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.