Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local trigger via firmware image with low privilege (PR:L) and no user interaction; kernel heap overflow yields full C/I/A impact, matching the published 7.8 rating.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr()
build_i2c_fw_hdr() allocates a fixed-size buffer of (16*1024 - 512) + sizeof(struct ti_i2c_firmware_rec) bytes, then copies le16_to_cpu(img_header->Length) bytes into it without validating that Length fits within the available space after the firmware record header.
img_header->Length is a __le16 from the firmware file and can be up to 65535. check_fw_sanity() validates the total firmware size but not img_header->Length specifically.
Fix by rejecting images where img_header->Length exceeds the available destination space.
AnalysisAI
Kernel-level heap buffer overflow (out-of-bounds write) in the Linux kernel's io_ti USB-serial driver (used by Digi Edgeport TI-based USB serial adapters) allows a local low-privileged attacker or a malicious/crafted firmware image to corrupt kernel heap memory. The flaw lives in build_i2c_fw_hdr(), which copies an attacker-influenced 16-bit Length field (up to 65535) from the firmware image into a fixed-size buffer without validating it fits the remaining space after the ti_i2c_firmware_rec header. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the io_ti driver to be loaded, meaning a Digi/Inside Out Networks Edgeport TI-based USB serial converter is present (or a malicious USB device emulating one), and the attacker must be able to influence the firmware image parsed during download so that ti_i2c_image_header.Length exceeds (16*1024 - 512) + sizeof(struct ti_i2c_firmware_rec) bytes. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are internally consistent and point to a genuine but not urgent local-privilege issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can supply a firmware image to the io_ti driver - either by plugging in a malicious USB device that presents itself as a Digi Edgeport TI adapter, or, with local privileges, by placing a crafted firmware blob where the driver loads it - sets img_header->Length to a value larger than the destination buffer. When build_i2c_fw_hdr() copies that many bytes, it overflows the kernel heap, corrupting adjacent structures and potentially escalating to arbitrary kernel code execution or a system crash. … |
| Remediation | Apply your distribution's kernel update or upgrade to a fixed stable release: 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 or later (Vendor-released patch: these stable versions; upstream fix available as commits at git.kernel.org/stable such as 0fd2b00b2d3d and 130d6567eb14). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit systems for Digi Edgeport TI USB adapter connections and the io_ti kernel driver installation. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39286
GHSA-397c-7vfx-vg4x