CVE-2026-53195

In the Linux kernel, the following vulnerability has been resolved:

USB: serial: io ti: fix heap overflow in build i2c fw hdr()

build i2c fw hdr() allocates a fixed-size buffer of (16*1024 - 512) + sizeof(struct ti i2c firmware rec) bytes, then copies le16 to cpu(img header->Length) bytes into it without validating that Length fits within the available space after the firmware record header.

img header->Length is a le16 from the firmware file and can be up to 65535. check fw sanity() validates the total firmware size but not img header->Length specifically.

Fix by rejecting images where img header->Length exceeds the available destination space.