{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-53196", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-06-09T07:44:35.391Z", "datePublished": "2026-06-25T08:39:06.330Z", "dateUpdated": "2026-06-25T08:39:06.330Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-06-25T08:39:06.330Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: serial: io_ti: fix heap overflow in get_manuf_info()\n\nget_manuf_info() reads le16_to_cpu(rom_desc->Size) bytes from the\ndevice I2C EEPROM into a buffer allocated with kmalloc_obj(), which\nis sizeof(struct edge_ti_manuf_descriptor) = 10 bytes.\n\nThe Size field comes from the device and is only validated (in\ncheck_i2c_image()) to make sure the descriptor fits within\nTI_MAX_I2C_SIZE (16384 bytes), not against the destination buffer size.\nA malicious USB device can therefore set Size to any value up to 16377,\ncausing a heap overflow of up to 16367 bytes when plugged into a host\nrunning this driver.\n\nvalid_csum() is called after read_rom() and also iterates\nbuffer[0..Size-1], compounding the out-of-bounds access.\n\nFix by rejecting descriptors with unexpected length before calling\nread_rom().\n\n[ johan: amend commit message; also check for short descriptors ]"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/usb/serial/io_ti.c"], "versions": [{"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "e168db91442b94e64fa82a7dd297983d48ea5cc0", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "561edb021486e6723d841926aa4b48097da06190", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "cfd634f6dfd40c49a84f9bddc2867a80e2e2623a", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "d92f17af7097d10bdeddf26f66f34b354104b277", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "b849f30d1a9e66aae6b715aaef66e427390cb081", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "f96cf7bf9fbf15d7fcf0c91fec47ba8a010369ea", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "d214d2341d4f9f447e36a7d012cdf6a6631a55f1", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "183c1076eca43bbb3e7bdf597456f91d81c73e74", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/usb/serial/io_ti.c"], "versions": [{"version": "2.6.12", "status": "affected"}, {"version": "0", "lessThan": "2.6.12", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.259", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.210", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.176", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.143", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.94", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.36", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0.13", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "5.10.259"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "5.15.210"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "6.1.176"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "6.6.143"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "6.12.94"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "6.18.36"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "7.0.13"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "7.1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/e168db91442b94e64fa82a7dd297983d48ea5cc0"}, {"url": "https://git.kernel.org/stable/c/561edb021486e6723d841926aa4b48097da06190"}, {"url": "https://git.kernel.org/stable/c/cfd634f6dfd40c49a84f9bddc2867a80e2e2623a"}, {"url": "https://git.kernel.org/stable/c/d92f17af7097d10bdeddf26f66f34b354104b277"}, {"url": "https://git.kernel.org/stable/c/b849f30d1a9e66aae6b715aaef66e427390cb081"}, {"url": "https://git.kernel.org/stable/c/f96cf7bf9fbf15d7fcf0c91fec47ba8a010369ea"}, {"url": "https://git.kernel.org/stable/c/d214d2341d4f9f447e36a7d012cdf6a6631a55f1"}, {"url": "https://git.kernel.org/stable/c/183c1076eca43bbb3e7bdf597456f91d81c73e74"}], "title": "USB: serial: io_ti: fix heap overflow in get_manuf_info()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{}

{}

{"created": "2026-06-25T11:00:11.394282+00:00", "updated": "2026-06-25T11:00:11.394290+00:00", "vendors": [], "weaknesses": ["CWE-122", "CWE-20"]}