Skip to main content

Linux Kernel CVE-2026-53196

| EUVDEUVD-2026-39287 MEDIUM
Out-of-bounds Write (CWE-787)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-f3q5-7m6p-4qxq
6.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.8 MEDIUM
AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
6.8 MEDIUM

Exploitation needs a malicious USB device physically attached (AV:P) but no credentials and no special complexity once probed (PR:N/AC:L); heap corruption yields full kernel C/I/A impact.

3.1 AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Severity Changed
Jul 01, 2026 - 13:22 NVD
HIGH MEDIUM
CVSS changed
Jul 01, 2026 - 13:22 NVD
7.0 (HIGH) 6.8 (MEDIUM)
Analysis Generated
Jun 30, 2026 - 05:32 vuln.today
CVSS changed
Jun 30, 2026 - 03:24 NVD
7.0 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 7.0

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

USB: serial: io_ti: fix heap overflow in get_manuf_info()

get_manuf_info() reads le16_to_cpu(rom_desc->Size) bytes from the device I2C EEPROM into a buffer allocated with kmalloc_obj(), which is sizeof(struct edge_ti_manuf_descriptor) = 10 bytes.

The Size field comes from the device and is only validated (in check_i2c_image()) to make sure the descriptor fits within TI_MAX_I2C_SIZE (16384 bytes), not against the destination buffer size. A malicious USB device can therefore set Size to any value up to 16377, causing a heap overflow of up to 16367 bytes when plugged into a host running this driver.

valid_csum() is called after read_rom() and also iterates buffer[0..Size-1], compounding the out-of-bounds access.

Fix by rejecting descriptors with unexpected length before calling read_rom().

[ johan: amend commit message; also check for short descriptors ]

AnalysisAI

Heap buffer overflow in the Linux kernel's io_ti USB serial driver (get_manuf_info()) lets a malicious USB device overflow a 10-byte kmalloc buffer by up to ~16 KB when attached to a host using this driver. The driver trusts the EEPROM-supplied descriptor Size field (validated only against TI_MAX_I2C_SIZE, not the destination buffer), enabling kernel memory corruption with high confidentiality, integrity, and availability impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious USB device with oversized EEPROM descriptor
Delivery
Plug device into target host USB port
Exploit
io_ti driver probes and reads manufacturing descriptor
Execution
get_manuf_info() copies Size bytes past 10-byte heap buffer
Persist
Corrupt adjacent kernel heap structures
Impact
Escalate to kernel-level code execution

Vulnerability AssessmentAI

Exploitation Exploitation requires physically attaching a malicious or modified USB device that presents itself to the TI/Edgeport io_ti USB serial driver, and the target host must have the io_ti driver present and configured to auto-probe attached devices. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are consistent and point to a real but constrained risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with brief physical access (an evil-maid or planted-peripheral scenario) crafts a USB serial device whose EEPROM advertises a manufacturing descriptor Size far larger than 10 bytes. When the device is plugged into a host that probes it with the io_ti driver, get_manuf_info() overflows the kernel heap with attacker-controlled bytes, corrupting adjacent kernel structures and potentially escalating to kernel-level code execution. …
Remediation Vendor-released patch: upgrade to a fixed stable kernel - 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 (or later in each series), or apply the corresponding stable commits from git.kernel.org (e.g. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Linux systems using the io_ti USB serial driver and assess current USB device policies. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53196 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy