CVE-2026-53195 Overview
CVE-2026-53195 is a heap overflow vulnerability in the Linux kernel's USB serial io_ti driver. The flaw resides in the build_i2c_fw_hdr() function, which handles firmware images for Edgeport USB-to-serial converters. The function allocates a fixed-size buffer and then copies a length value directly from the firmware image header without validating that the value fits within the destination. A crafted firmware file can therefore trigger an out-of-bounds write on the kernel heap.
Critical Impact
A malicious or malformed firmware image processed by the io_ti driver can corrupt kernel heap memory, potentially leading to denial of service or local privilege escalation on systems where firmware loading is reachable.
Affected Products
- Linux kernel drivers/usb/serial/io_ti.c (USB serial Edgeport TI driver)
- Multiple stable kernel branches addressed by the eight upstream fix commits referenced by the CVE
- Distributions shipping vulnerable kernels with the io_ti driver enabled
Discovery Timeline
- 2026-06-25 - CVE-2026-53195 published to NVD
- 2026-06-25 - Last updated in NVD database
Technical Details for CVE-2026-53195
Vulnerability Analysis
The build_i2c_fw_hdr() function in drivers/usb/serial/io_ti.c constructs an I2C firmware header used when programming Edgeport TI-based USB serial devices. The function allocates a destination buffer of (16*1024 - 512) + sizeof(struct ti_i2c_firmware_rec) bytes. It then performs a copy of le16_to_cpu(img_header->Length) bytes into that buffer, placing data after the firmware record header.
The img_header->Length field is a little-endian 16-bit value read directly from the firmware file. Its maximum value is 65535, which exceeds the space remaining in the destination buffer after the ti_i2c_firmware_rec header. Because no bounds check ties Length to the available destination capacity, oversized values cause the memcpy to write past the end of the allocated region.
The upstream fix rejects images where img_header->Length exceeds the available destination space, returning an error before the copy occurs. This is classified as a heap overflow caused by improper input validation [CWE-122, CWE-20].
Root Cause
The check_fw_sanity() routine validates the overall firmware size but does not constrain the Length field inside the firmware record header. The driver trusts attacker-controllable data from the firmware blob to determine how many bytes to copy into a fixed-size kernel heap allocation.
Attack Vector
Exploitation requires the kernel to load a malicious firmware image through the io_ti driver path. This can occur when a crafted firmware file is placed where the kernel firmware loader resolves it, or when a user with sufficient privileges triggers firmware programming. Successful exploitation corrupts adjacent heap objects, which can be shaped to achieve denial of service or kernel memory corruption suitable for privilege escalation.
No verified public exploit code is available for CVE-2026-53195. The vulnerability mechanism is documented in the upstream commits referenced under External References.
Detection Methods for CVE-2026-53195
Indicators of Compromise
- Kernel oops, KASAN reports, or slab-out-of-bounds warnings referencing build_i2c_fw_hdr or io_ti in dmesg
- Unexpected USB serial firmware load attempts targeting Edgeport TI devices on hosts that do not normally use them
- Presence of unsigned or unexpected firmware blobs in /lib/firmware/edgeport/ resolved by the kernel firmware loader
Detection Strategies
- Monitor kernel logs for memory corruption signatures involving the io_ti driver and USB serial subsystem
- Audit installed kernel package versions against the fixed commits listed in the kernel.org references
- Use kernel runtime hardening features such as KASAN in test environments to catch out-of-bounds writes during firmware load
Monitoring Recommendations
- Alert on loading of the io_ti kernel module on systems where Edgeport USB serial adapters are not in use
- Track udev and request_firmware events for the Edgeport TI firmware files
- Correlate USB device attach events with subsequent kernel warnings to identify potential exploitation attempts
How to Mitigate CVE-2026-53195
Immediate Actions Required
- Apply the stable kernel updates that include the upstream fix to build_i2c_fw_hdr() for your distribution and kernel branch
- Blacklist the io_ti module on systems that do not require Edgeport USB serial functionality
- Restrict physical and administrative access to systems handling USB serial firmware programming
Patch Information
The issue is resolved by patches that validate img_header->Length against the available destination space in build_i2c_fw_hdr() before performing the copy. The fix has been merged across multiple stable branches. Refer to the upstream commits: Kernel Git Commit 0fd2b00, Kernel Git Commit 130d656, Kernel Git Commit 294692d, Kernel Git Commit 2fd64bf, Kernel Git Commit 3e18715, Kernel Git Commit 4cb7227, Kernel Git Commit 5a79b63, and Kernel Git Commit b7faf66.
Workarounds
- Disable autoloading of the io_ti module via modprobe blacklist configuration where the driver is not needed
- Remove or restrict permissions on Edgeport firmware blobs in /lib/firmware/ to prevent unintended firmware loads
- Enforce signed firmware policies and limit which users can trigger USB device firmware programming
# Configuration example: blacklist the io_ti driver where Edgeport adapters are not used
echo "blacklist io_ti" | sudo tee /etc/modprobe.d/blacklist-io_ti.conf
sudo depmod -a
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

