CVE-2026-53196

Description

In the Linux kernel, the following vulnerability has been resolved: USB: serial: io_ti: fix heap overflow in get_manuf_info() get_manuf_info() reads le16_to_cpu(rom_desc->Size) bytes from the device I2C EEPROM into a buffer allocated with kmalloc_obj(), which is sizeof(struct edge_ti_manuf_descriptor) = 10 bytes. The Size field comes from the device and is only validated (in check_i2c_image()) to make sure the descriptor fits within TI_MAX_I2C_SIZE (16384 bytes), not against the destination buffer size. A malicious USB device can therefore set Size to any value up to 16377, causing a heap overflow of up to 16367 bytes when plugged into a host running this driver. valid_csum() is called after read_rom() and also iterates buffer[0..Size-1], compounding the out-of-bounds access. Fix by rejecting descriptors with unexpected length before calling read_rom(). [ johan: amend commit message; also check for short descriptors ]

Affected products

• Linux / Linux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 – e168db91442b94e64fa82a7dd297983d48ea5cc0
• Linux / Linux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 – 561edb021486e6723d841926aa4b48097da06190
• Linux / Linux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 – cfd634f6dfd40c49a84f9bddc2867a80e2e2623a
• Linux / Linux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 – d92f17af7097d10bdeddf26f66f34b354104b277
• Linux / Linux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 – b849f30d1a9e66aae6b715aaef66e427390cb081
• Linux / Linux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 – f96cf7bf9fbf15d7fcf0c91fec47ba8a010369ea
• Linux / Linux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 – d214d2341d4f9f447e36a7d012cdf6a6631a55f1
• Linux / Linux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 – 183c1076eca43bbb3e7bdf597456f91d81c73e74
• Linux / Linux2.6.12 – 2.6.12
• Linux / Linux0 – 2.6.12
• Linux / Linux5.10.259 – 5.10.*
• Linux / Linux5.15.210 – 5.15.*
• Linux / Linux6.1.176 – 6.1.*
• Linux / Linux6.6.143 – 6.6.*
• Linux / Linux6.12.94 – 6.12.*
• Linux / Linux6.18.36 – 6.18.*
• Linux / Linux7.0.13 – 7.0.*
• Linux / Linux7.1 – *

References

• MISChttps://git.kernel.org/stable/c/e168db91442b94e64fa82a7dd297983d48ea5cc0
• MISChttps://git.kernel.org/stable/c/561edb021486e6723d841926aa4b48097da06190
• MISChttps://git.kernel.org/stable/c/cfd634f6dfd40c49a84f9bddc2867a80e2e2623a
• MISChttps://git.kernel.org/stable/c/d92f17af7097d10bdeddf26f66f34b354104b277
• MISChttps://git.kernel.org/stable/c/b849f30d1a9e66aae6b715aaef66e427390cb081
• MISChttps://git.kernel.org/stable/c/f96cf7bf9fbf15d7fcf0c91fec47ba8a010369ea
• MISChttps://git.kernel.org/stable/c/d214d2341d4f9f447e36a7d012cdf6a6631a55f1
• MISChttps://git.kernel.org/stable/c/183c1076eca43bbb3e7bdf597456f91d81c73e74