Description
In the Linux kernel, the following vulnerability has been resolved: USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr() build_i2c_fw_hdr() allocates a fixed-size buffer of (16*1024 - 512) + sizeof(struct ti_i2c_firmware_rec) bytes, then copies le16_to_cpu(img_header->Length) bytes into it without validating that Length fits within the available space after the firmware record header. img_header->Length is a __le16 from the firmware file and can be up to 65535. check_fw_sanity() validates the total firmware size but not img_header->Length specifically. Fix by rejecting images where img_header->Length exceeds the available destination space.
References (8)
Core 8
Core References
Scores
CVSS v3
7.8
EPSS
0.0015
EPSS Percentile
4.9%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-787
Status
published
Products (28)
linux/Kernel
2.6.12 - 5.10.259linux
linux/Kernel
5.11.0 - 5.15.210linux
linux/Kernel
5.16.0 - 6.1.176linux
linux/Kernel
6.13.0 - 6.18.36linux
linux/Kernel
6.19.0 - 7.0.13linux
linux/Kernel
6.2.0 - 6.6.143linux
linux/Kernel
6.7.0 - 6.12.94linux
Linux/Linux
< 2.6.12
Linux/Linux
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - 0fd2b00b2d3d05e3eaa13342b3dfb0fa85c226ae
Linux/Linux
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - 130d6567eb148040eed1b73e1414ad6c27d22bd5
... and 18 more
Published
Jun 25, 2026
Tracked Since
Jun 25, 2026