USB: serial: kl5kusb105: fix bulk-out buffer overflow_CVE-2026-53194

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

USB: serial: kl5kusb105: fix bulk-out buffer overflow

klsi_105_prepare_write_buffer() is called by the generic write path
with the bulk-out buffer and its size (bulk_out_size, 64 bytes). It
stores a two-byte length header at the start of the buffer and copies
the payload from the write fifo starting at buf + KLSI_HDR_LEN, but
passes the full buffer size as the number of bytes to copy:

count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN,
size, &port->lock);

When the fifo holds at least size bytes, size bytes are copied starting
two bytes into the size-byte buffer, writing KLSI_HDR_LEN bytes past its
end. Copy at most size - KLSI_HDR_LEN bytes instead, leaving room for
the header as safe_serial already does.

Writing bulk_out_size or more bytes to the tty triggers a slab
out-of-bounds write, observed with KASAN by emulating the device with
dummy_hcd and raw-gadget:

BUG: KASAN: slab-out-of-bounds in kfifo_copy_out+0x83/0xc0
Write of size 64 at addr ffff888112c62202 by task python3
kfifo_copy_out
klsi_105_prepare_write_buffer [kl5kusb105]
usb_serial_generic_write_start [usbserial]
Allocated by task 139:
usb_serial_probe [usbserial]
The buggy address is located 2 bytes inside of allocated 64-byte region

The out-of-bounds write no longer occurs with this change applied.

Basic Information

ID CVE-2026-53194

Source Linux

Published Jun 25, 2026 at 08:39

Modified Jun 28, 2026 at 06:40

Affected Product

Vendor Linux

Product Linux

Version 60b3013cdaf3fa8a17243ca46b19db3cbe08d943

Affected Versions Linux Linux 60b3013cdaf3fa8a17243ca46b19db3cbe08d943
Linux Linux 60b3013cdaf3fa8a17243ca46b19db3cbe08d943
Linux Linux 60b3013cdaf3fa8a17243ca46b19db3cbe08d943
Linux Linux 60b3013cdaf3fa8a17243ca46b19db3cbe08d943
Linux Linux 60b3013cdaf3fa8a17243ca46b19db3cbe08d943
Linux Linux 60b3013cdaf3fa8a17243ca46b19db3cbe08d943
Linux Linux 60b3013cdaf3fa8a17243ca46b19db3cbe08d943
Linux Linux 60b3013cdaf3fa8a17243ca46b19db3cbe08d943
Linux Linux 2.6.35

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: serial: kl5kusb105: fix bulk-out buffer overflow\n\nklsi_105_prepare_write_buffer() is called by the generic write path\nwith the bulk-out buffer and its size (bulk_out_size, 64 bytes). It\nstores a two-byte length header at the start of the buffer and copies\nthe payload from the write fifo starting at buf + KLSI_HDR_LEN, but\npasses the full buffer size as the number of bytes to copy:\n\n  count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN,\n                           size, &port->lock);\n\nWhen the fifo holds at least size bytes, size bytes are copied starting\ntwo bytes into the size-byte buffer, writing KLSI_HDR_LEN bytes past its\nend. Copy at most size - KLSI_HDR_LEN bytes instead, leaving room for\nthe header as safe_serial already does.\n\nWriting bulk_out_size or more bytes to the tty triggers a slab\nout-of-bounds write, observed with KASAN by emulating the device with\ndummy_hcd and raw-gadget:\n\n  BUG: KASAN: slab-out-of-bounds in kfifo_copy_out+0x83/0xc0\n  Write of size 64 at addr ffff888112c62202 by task python3\n   kfifo_copy_out\n   klsi_105_prepare_write_buffer [kl5kusb105]\n   usb_serial_generic_write_start [usbserial]\n  Allocated by task 139:\n   usb_serial_probe [usbserial]\n  The buggy address is located 2 bytes inside of allocated 64-byte region\n\nThe out-of-bounds write no longer occurs with this change applied.",
    "published": "2026-06-25T08:39:05.017Z",
    "modified": "2026-06-28T06:40:13.470Z",
    "type": "cve",
    "title": "USB: serial: kl5kusb105: fix bulk-out buffer overflow",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/60af1fd82983c26604102e63a3fcc822c186cceb\nhttps://git.kernel.org/stable/c/0a57320f71941d4e0b1307453c9a1f0939afe666\nhttps://git.kernel.org/stable/c/14147b7963685957839c76ba8094924e22777d79\nhttps://git.kernel.org/stable/c/a1288cd700f721c1a119c4f1e8efa234e59caada\nhttps://git.kernel.org/stable/c/70d86e355c564b5510fde61361df014f5476c83e\nhttps://git.kernel.org/stable/c/372f33ebed747d91870f57c0a2e62884a870bffa\nhttps://git.kernel.org/stable/c/bde742b076cbe26ecc89c8c68c76ae076a524d02\nhttps://git.kernel.org/stable/c/96d47e40bf9db4a9efd5c8fb53287a508d165f14",
    "id": "CVE-2026-53194",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 60b3013cdaf3fa8a17243ca46b19db3cbe08d943\nLinux Linux 60b3013cdaf3fa8a17243ca46b19db3cbe08d943\nLinux Linux 60b3013cdaf3fa8a17243ca46b19db3cbe08d943\nLinux Linux 60b3013cdaf3fa8a17243ca46b19db3cbe08d943\nLinux Linux 60b3013cdaf3fa8a17243ca46b19db3cbe08d943\nLinux Linux 60b3013cdaf3fa8a17243ca46b19db3cbe08d943\nLinux Linux 60b3013cdaf3fa8a17243ca46b19db3cbe08d943\nLinux Linux 60b3013cdaf3fa8a17243ca46b19db3cbe08d943\nLinux Linux 2.6.35",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "60b3013cdaf3fa8a17243ca46b19db3cbe08d943",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply