USB: serial: io_ti: fix heap overflow in get_manuf_info()

Summary

CVE	CVE-2026-53196
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-06-25 09:16:37 UTC
Updated	2026-06-25 09:16:37 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: USB: serial: io_ti: fix heap overflow in get_manuf_info() get_manuf_info() reads le16_to_cpu(rom_desc->Size) bytes from the device I2C EEPROM into a buffer allocated with kmalloc_obj(), which is sizeof(struct edge_ti_manuf_descriptor) = 10 bytes. The Size field comes from the device and is only validated (in check_i2c_image()) to make sure the descriptor fits within TI_MAX_I2C_SIZE (16384 bytes), not against the destination buffer size. A malicious USB device can therefore set Size to any value up to 16377, causing a heap overflow of up to 16367 bytes when plugged into a host running this driver. valid_csum() is called after read_rom() and also iterates buffer[0..Size-1], compounding the out-of-bounds access. Fix by rejecting descriptors with unexpected length before calling read_rom(). [ johan: amend commit message; also check for short descriptors ]

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 e168db91442b94e64fa82a7dd297983d48ea5cc0 git	Not specified
CNA	Linux	Linux	affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 561edb021486e6723d841926aa4b48097da06190 git	Not specified
CNA	Linux	Linux	affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 cfd634f6dfd40c49a84f9bddc2867a80e2e2623a git	Not specified
CNA	Linux	Linux	affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 d92f17af7097d10bdeddf26f66f34b354104b277 git	Not specified
CNA	Linux	Linux	affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 b849f30d1a9e66aae6b715aaef66e427390cb081 git	Not specified
CNA	Linux	Linux	affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 f96cf7bf9fbf15d7fcf0c91fec47ba8a010369ea git	Not specified
CNA	Linux	Linux	affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 d214d2341d4f9f447e36a7d012cdf6a6631a55f1 git	Not specified
CNA	Linux	Linux	affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 183c1076eca43bbb3e7bdf597456f91d81c73e74 git	Not specified
CNA	Linux	Linux	affected 2.6.12	Not specified
CNA	Linux	Linux	unaffected 2.6.12 semver	Not specified
CNA	Linux	Linux	unaffected 5.10.259 5.10.* semver	Not specified
CNA	Linux	Linux	unaffected 5.15.210 5.15.* semver	Not specified
CNA	Linux	Linux	unaffected 6.1.176 6.1.* semver	Not specified
CNA	Linux	Linux	unaffected 6.6.143 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.94 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.36 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0.13 7.0.* semver	Not specified
CNA	Linux	Linux	unaffected 7.1 * original_commit_for_fix	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/e168db91442b94e64fa82a7dd297983d48ea5cc0	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/cfd634f6dfd40c49a84f9bddc2867a80e2e2623a	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/561edb021486e6723d841926aa4b48097da06190	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/d92f17af7097d10bdeddf26f66f34b354104b277	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/b849f30d1a9e66aae6b715aaef66e427390cb081	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/f96cf7bf9fbf15d7fcf0c91fec47ba8a010369ea	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/d214d2341d4f9f447e36a7d012cdf6a6631a55f1	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/183c1076eca43bbb3e7bdf597456f91d81c73e74	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.