GHSA-f3q5-7m6p-4qxqHighCVSS 7.0

In the Linux kernel, the following vulnerability has been resolved: USB: serial: io_ti: fix heap...

Published
June 25, 2026
Last Modified
June 30, 2026

🔗 CVE IDs covered (1)

📋 Description

In the Linux kernel, the following vulnerability has been resolved:

USB: serial: io_ti: fix heap overflow in get_manuf_info()

get_manuf_info() reads le16_to_cpu(rom_desc->Size) bytes from the device I2C EEPROM into a buffer allocated with kmalloc_obj(), which is sizeof(struct edge_ti_manuf_descriptor) = 10 bytes.

The Size field comes from the device and is only validated (in check_i2c_image()) to make sure the descriptor fits within TI_MAX_I2C_SIZE (16384 bytes), not against the destination buffer size. A malicious USB device can therefore set Size to any value up to 16377, causing a heap overflow of up to 16367 bytes when plugged into a host running this driver.

valid_csum() is called after read_rom() and also iterates buffer[0..Size-1], compounding the out-of-bounds access.

Fix by rejecting descriptors with unexpected length before calling read_rom().

[ johan: amend commit message; also check for short descriptors ]

🔗 References (13)