In the Linux kernel, the following vulnerability has been resolved:
USB: serial: ioti: fix heap overflow in buildi2cfwhdr()
buildi2cfwhdr() allocates a fixed-size buffer of (16*1024 - 512) + sizeof(struct tii2cfirmwarerec) bytes, then copies le16tocpu(img_header->Length) bytes into it without validating that Length fits within the available space after the firmware record header.
img_header->Length is a _le16 from the firmware file and can be up to 65535. checkfwsanity() validates the total firmware size but not imgheader->Length specifically.
Fix by rejecting images where img_header->Length exceeds the available destination space.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53195.json",
"cna_assigner": "Linux"
}