6387 matches found
UBUNTU-CVE-2026-53195
In the Linux kernel, the following vulnerability has been resolved: USB: serial: ioti: fix heap overflow in buildi2cfwhdr buildi2cfwhdr allocates a fixed-size buffer of 161024 - 512 + sizeofstruct tii2cfirmwarerec bytes, then copies le16tocpuimgheader-Length bytes into it without validating that...
CVE-2026-53196
In the Linux kernel USB: serial: io_ti driver, CVE-2026-53196 describes a heap overflow in get_manuf_info() caused by reading rom_desc->Size bytes from an I2C EEPROM into a 10-byte buffer (kmalloc_obj()). Size is only checked against TI_MAX_I2C_SIZE (16384), allowing a malicious device to set ...
EUVD-2026-39287
In the Linux kernel, the following vulnerability has been resolved: USB: serial: ioti: fix heap overflow in getmanufinfo getmanufinfo reads le16tocpuromdesc-Size bytes from the device I2C EEPROM into a buffer allocated with kmallocobj, which is sizeofstruct edgetimanufdescriptor = 10 bytes. The...
CVE-2026-53196 USB: serial: io_ti: fix heap overflow in get_manuf_info()
In the Linux kernel, the following vulnerability has been resolved: USB: serial: ioti: fix heap overflow in getmanufinfo getmanufinfo reads le16tocpuromdesc-Size bytes from the device I2C EEPROM into a buffer allocated with kmallocobj, which is sizeofstruct edgetimanufdescriptor = 10 bytes. The...
CVE-2026-53196 USB: serial: io_ti: fix heap overflow in get_manuf_info()
In the Linux kernel, the following vulnerability has been resolved: USB: serial: ioti: fix heap overflow in getmanufinfo getmanufinfo reads le16tocpuromdesc-Size bytes from the device I2C EEPROM into a buffer allocated with kmallocobj, which is sizeofstruct edgetimanufdescriptor = 10 bytes. The...
CVE-2026-53196
In the Linux kernel, the following vulnerability has been resolved: USB: serial: ioti: fix heap overflow in getmanufinfo getmanufinfo reads le16tocpuromdesc-Size bytes from the device I2C EEPROM into a buffer allocated with kmallocobj, which is sizeofstruct edgetimanufdescriptor = 10 bytes. The...
CVE-2026-53195
In the Linux kernel, the following vulnerability has been resolved: USB: serial: ioti: fix heap overflow in buildi2cfwhdr buildi2cfwhdr allocates a fixed-size buffer of 161024 - 512 + sizeofstruct tii2cfirmwarerec bytes, then copies le16tocpuimgheader-Length bytes into it without validating that...
EUVD-2026-39286
In the Linux kernel, the following vulnerability has been resolved: USB: serial: ioti: fix heap overflow in buildi2cfwhdr buildi2cfwhdr allocates a fixed-size buffer of 161024 - 512 + sizeofstruct tii2cfirmwarerec bytes, then copies le16tocpuimgheader-Length bytes into it without validating that...
CVE-2026-53195
The CVE-2026-53195 issue affects the Linux kernel USB: serial: io_ti driver. build_i2c_fw_hdr() allocates a fixed buffer and copies img_header->Length (up to 65535) without validating it against remaining space, enabling a potential heap overflow. The root cause is that check_fw_sanity() valid...
CVE-2026-53195 USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr()
In the Linux kernel, the following vulnerability has been resolved: USB: serial: ioti: fix heap overflow in buildi2cfwhdr buildi2cfwhdr allocates a fixed-size buffer of 161024 - 512 + sizeofstruct tii2cfirmwarerec bytes, then copies le16tocpuimgheader-Length bytes into it without validating that...
CVE-2026-53194
In the Linux kernel, the following vulnerability has been resolved: USB: serial: kl5kusb105: fix bulk-out buffer overflow klsi105preparewritebuffer is called by the generic write path with the bulk-out buffer and its size bulkoutsize, 64 bytes. It stores a two-byte length header at the start of t...
CVE-2026-53194
The CVE-2026-53194 entry covers a defect in the Linux kernel USB serial driver kl5kusb105 (klsi_105_prepare_write_buffer). The bug occurs when the generic write path uses the bulk-out buffer (size 64) and copies the payload from the write_fifo without reserving space for the 2-byte header, result...
CVE-2026-53194 USB: serial: kl5kusb105: fix bulk-out buffer overflow
In the Linux kernel, the following vulnerability has been resolved: USB: serial: kl5kusb105: fix bulk-out buffer overflow klsi105preparewritebuffer is called by the generic write path with the bulk-out buffer and its size bulkoutsize, 64 bytes. It stores a two-byte length header at the start of t...
CVE-2026-53194
In the Linux kernel, the following vulnerability has been resolved: USB: serial: kl5kusb105: fix bulk-out buffer overflow klsi105preparewritebuffer is called by the generic write path with the bulk-out buffer and its size bulkoutsize, 64 bytes. It stores a two-byte length header at the start of t...
EUVD-2026-39285
In the Linux kernel, the following vulnerability has been resolved: USB: serial: kl5kusb105: fix bulk-out buffer overflow klsi105preparewritebuffer is called by the generic write path with the bulk-out buffer and its size bulkoutsize, 64 bytes. It stores a two-byte length header at the start of t...
CVE-2026-53137 drm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Clamp HDMI HDCP2 rxidlist read to buffer size Why & How During HDCP 2.x repeater authentication over HDMI, the driver reads the sink's RxStatus register and extracts a 10-bit message size field max value 1023. Th...
PT-2026-52351
Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A slab-use-after-free issue exists in the Bluetooth RFCOMM implementation. The function rfcomm get sock by channel scans the rfcomm sk list under a list lock but returns the selected...
PT-2026-52590
Name of the Vulnerable Software and Affected Versions wolfSSL affected versions not specified Description A length-confusion issue exists in the wolfSSL OCSP resp find status function. The lookup process compares serial-number bytes without verifying that the two serial numbers are of equal lengt...
PT-2026-52291
Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A heap overflow exists in the build i2c fw hdr function. The function allocates a fixed-size buffer but copies a number of bytes determined by the Length variable from the firmware file...
PT-2026-52292
Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A heap overflow exists in the get manuf info function. The issue occurs because the function reads a number of bytes specified by the Size field from a device I2C EEPROM into a buffer...