Linux Kernel: USB Serial TA_11564 Heap Overflow (CVE-2026-53196)
CVE-2026-53196 Published on June 25, 2026
USB: serial: io_ti: fix heap overflow in get_manuf_info()
In the Linux kernel, the following vulnerability has been resolved:
USB: serial: io_ti: fix heap overflow in get_manuf_info()
get_manuf_info() reads le16_to_cpu(rom_desc->Size) bytes from the
device I2C EEPROM into a buffer allocated with kmalloc_obj(), which
is sizeof(struct edge_ti_manuf_descriptor) = 10 bytes.
The Size field comes from the device and is only validated (in
check_i2c_image()) to make sure the descriptor fits within
TI_MAX_I2C_SIZE (16384 bytes), not against the destination buffer size.
A malicious USB device can therefore set Size to any value up to 16377,
causing a heap overflow of up to 16367 bytes when plugged into a host
running this driver.
valid_csum() is called after read_rom() and also iterates
buffer[0..Size-1], compounding the out-of-bounds access.
Fix by rejecting descriptors with unexpected length before calling
read_rom().
[ johan: amend commit message; also check for short descriptors ]
Vulnerability Analysis
CVE-2026-53196 is exploitable with physical access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is a Memory Corruption Vulnerability?
The software writes data past the end, or before the beginning, of the intended buffer. Typically, this can result in corruption of data, a crash, or code execution. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results.
CVE-2026-53196 has been classified to as a Memory Corruption vulnerability or weakness.
Products Associated with CVE-2026-53196
stack.watch emails you whenever new vulnerabilities are published in Linux Kernel or Red Hat Enterprise Linux (RHEL). Just hit a watch button to start following.
Affected Versions
Linux:- Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below e168db91442b94e64fa82a7dd297983d48ea5cc0 is affected.
- Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below 561edb021486e6723d841926aa4b48097da06190 is affected.
- Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below cfd634f6dfd40c49a84f9bddc2867a80e2e2623a is affected.
- Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below d92f17af7097d10bdeddf26f66f34b354104b277 is affected.
- Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below b849f30d1a9e66aae6b715aaef66e427390cb081 is affected.
- Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below f96cf7bf9fbf15d7fcf0c91fec47ba8a010369ea is affected.
- Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below d214d2341d4f9f447e36a7d012cdf6a6631a55f1 is affected.
- Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below 183c1076eca43bbb3e7bdf597456f91d81c73e74 is affected.
- Version 2.6.12 is affected.
- Before 2.6.12 is unaffected.
- Version 5.10.259, <= 5.10.* is unaffected.
- Version 5.15.210, <= 5.15.* is unaffected.
- Version 6.1.176, <= 6.1.* is unaffected.
- Version 6.6.143, <= 6.6.* is unaffected.
- Version 6.12.94, <= 6.12.* is unaffected.
- Version 6.18.36, <= 6.18.* is unaffected.
- Version 7.0.13, <= 7.0.* is unaffected.
- Version 7.1, <= * is unaffected.