CVE-2026-53196 in Linux
Summary
by MITRE • 06/25/2026
In the Linux kernel, the following vulnerability has been resolved:
USB: serial: io_ti: fix heap overflow in get_manuf_info()
get_manuf_info() reads le16_to_cpu(rom_desc->Size) bytes from the device I2C EEPROM into a buffer allocated with kmalloc_obj(), which is sizeof(struct edge_ti_manuf_descriptor) = 10 bytes.
The Size field comes from the device and is only validated (in check_i2c_image()) to make sure the descriptor fits within TI_MAX_I2C_SIZE (16384 bytes), not against the destination buffer size. A malicious USB device can therefore set Size to any value up to 16377, causing a heap overflow of up to 16367 bytes when plugged into a host running this driver.
valid_csum() is called after read_rom() and also iterates buffer[0..Size-1], compounding the out-of-bounds access.
Fix by rejecting descriptors with unexpected length before calling read_rom().
[ johan: amend commit message; also check for short descriptors ]
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/25/2026
The vulnerability identified in the Linux kernel's USB serial driver represents a critical heap overflow condition that arises from inadequate input validation during device enumeration. This flaw exists within the io_ti driver component responsible for handling Texas Instruments USB-to-serial converters, specifically in the get_manuf_info() function where device firmware descriptors are processed. The technical implementation fails to properly validate the Size field from the device's I2C EEPROM against the actual buffer capacity allocated for processing, creating a scenario where malicious devices can trigger memory corruption through carefully crafted descriptor lengths.
The core technical flaw stems from improper bounds checking that allows an attacker-controlled value to determine how many bytes are copied into a fixed-size buffer. The function allocates memory using kmalloc_obj() for a structure of exactly 10 bytes representing struct edge_ti_manuf_descriptor, yet reads data based on the unvalidated Size field from rom_desc->Size which can be up to 16377 bytes according to the device specification. This creates a heap overflow condition that can extend up to 16367 bytes beyond the allocated buffer boundaries, potentially allowing arbitrary code execution or system instability when the malicious USB device is connected to a vulnerable host system.
This vulnerability directly maps to CWE-121 and CWE-122 categories within the Common Weakness Enumeration framework, specifically addressing heap-based buffer overflow conditions where insufficient bounds checking allows data to be written beyond allocated memory regions. The operational impact extends beyond simple memory corruption as the valid_csum() function processes the same buffer after read_rom() completes, creating a second out-of-bounds access vector that compounds the original vulnerability and increases the attack surface for potential exploitation. The flaw affects systems running Linux kernels with the io_ti USB serial driver enabled, particularly those connecting to USB devices that support I2C EEPROM communication protocols.
The mitigation strategy implemented addresses this by introducing pre-validation checks before any data processing occurs, rejecting descriptors with unexpected lengths prior to calling read_rom(). This defensive programming approach ensures that device descriptors are validated against their intended buffer sizes before memory allocation and copying operations begin. The fix also incorporates additional checks for short descriptors to prevent edge cases where malformed data might still cause issues during processing. From an ATT&CK framework perspective, this vulnerability represents a privilege escalation opportunity through physical access or social engineering attacks that could leverage the USB device as an attack vector, potentially enabling code execution with kernel privileges and compromising system integrity through memory corruption techniques that align with T1059 and T1068 attack patterns.