Skip to main content

Linux Kernel EUVDEUVD-2026-39286

| CVE-2026-53195 HIGH
Out-of-bounds Write (CWE-787)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-397c-7vfx-vg4x
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local trigger via firmware image with low privilege (PR:L) and no user interaction; kernel heap overflow yields full C/I/A impact, matching the published 7.8 rating.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 06, 2026 - 12:38 vuln.today
CVSS changed
Jul 06, 2026 - 12:37 NVD
7.8 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 nvd
HIGH 7.8

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr()

build_i2c_fw_hdr() allocates a fixed-size buffer of (16*1024 - 512) + sizeof(struct ti_i2c_firmware_rec) bytes, then copies le16_to_cpu(img_header->Length) bytes into it without validating that Length fits within the available space after the firmware record header.

img_header->Length is a __le16 from the firmware file and can be up to 65535. check_fw_sanity() validates the total firmware size but not img_header->Length specifically.

Fix by rejecting images where img_header->Length exceeds the available destination space.

AnalysisAI

Kernel-level heap buffer overflow (out-of-bounds write) in the Linux kernel's io_ti USB-serial driver (used by Digi Edgeport TI-based USB serial adapters) allows a local low-privileged attacker or a malicious/crafted firmware image to corrupt kernel heap memory. The flaw lives in build_i2c_fw_hdr(), which copies an attacker-influenced 16-bit Length field (up to 65535) from the firmware image into a fixed-size buffer without validating it fits the remaining space after the ti_i2c_firmware_rec header. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attach rogue Edgeport USB device or supply crafted firmware
Delivery
Driver parses I2C firmware header
Exploit
Oversized Length copied in build_i2c_fw_hdr()
Execution
Kernel heap buffer overflow
Persist
Corrupt adjacent kernel structures
Impact
Escalate privileges or crash system

Vulnerability AssessmentAI

Exploitation Exploitation requires the io_ti driver to be loaded, meaning a Digi/Inside Out Networks Edgeport TI-based USB serial converter is present (or a malicious USB device emulating one), and the attacker must be able to influence the firmware image parsed during download so that ti_i2c_image_header.Length exceeds (16*1024 - 512) + sizeof(struct ti_i2c_firmware_rec) bytes. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are internally consistent and point to a genuine but not urgent local-privilege issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can supply a firmware image to the io_ti driver - either by plugging in a malicious USB device that presents itself as a Digi Edgeport TI adapter, or, with local privileges, by placing a crafted firmware blob where the driver loads it - sets img_header->Length to a value larger than the destination buffer. When build_i2c_fw_hdr() copies that many bytes, it overflows the kernel heap, corrupting adjacent structures and potentially escalating to arbitrary kernel code execution or a system crash. …
Remediation Apply your distribution's kernel update or upgrade to a fixed stable release: 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 or later (Vendor-released patch: these stable versions; upstream fix available as commits at git.kernel.org/stable such as 0fd2b00b2d3d and 130d6567eb14). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit systems for Digi Edgeport TI USB adapter connections and the io_ti kernel driver installation. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39286 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy