CVE-2026-53196

In the Linux kernel, the following vulnerability has been resolved:

USB: serial: io ti: fix heap overflow in get manuf info()

get manuf info() reads le16 to cpu(rom desc->Size) bytes from the device I2C EEPROM into a buffer allocated with kmalloc obj(), which is sizeof(struct edge ti manuf descriptor) = 10 bytes.

The Size field comes from the device and is only validated (in check i2c image()) to make sure the descriptor fits within TI MAX I2C SIZE (16384 bytes), not against the destination buffer size. A malicious USB device can therefore set Size to any value up to 16377, causing a heap overflow of up to 16367 bytes when plugged into a host running this driver.

valid csum() is called after read rom() and also iterates buffer[0..Size-1], compounding the out-of-bounds access.

Fix by rejecting descriptors with unexpected length before calling read rom().

[ johan: amend commit message; also check for short descriptors ]