USB: serial: kl5kusb105: fix bulk-out buffer overflow

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-53194
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-06-25 09:16:36 UTC
Updated2026-06-28 08:16:37 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: USB: serial: kl5kusb105: fix bulk-out buffer overflow klsi_105_prepare_write_buffer() is called by the generic write path with the bulk-out buffer and its size (bulk_out_size, 64 bytes). It stores a two-byte length header at the start of the buffer and copies the payload from the write fifo starting at buf + KLSI_HDR_LEN, but passes the full buffer size as the number of bytes to copy: count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN, size, &port->lock); When the fifo holds at least size bytes, size bytes are copied starting two bytes into the size-byte buffer, writing KLSI_HDR_LEN bytes past its end. Copy at most size - KLSI_HDR_LEN bytes instead, leaving room for the header as safe_serial already does. Writing bulk_out_size or more bytes to the tty triggers a slab out-of-bounds write, observed with KASAN by emulating the device with dummy_hcd and raw-gadget: BUG: KASAN: slab-out-of-bounds in kfifo_copy_out+0x83/0xc0 Write of size 64 at addr ffff888112c62202 by task python3 kfifo_copy_out klsi_105_prepare_write_buffer [kl5kusb105] usb_serial_generic_write_start [usbserial] Allocated by task 139: usb_serial_probe [usbserial] The buggy address is located 2 bytes inside of allocated 64-byte region The out-of-bounds write no longer occurs with this change applied.

Risk And Classification

Primary CVSS: v3.1 7.8 HIGH from 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS: 0.001950000 probability, percentile 0.094020000 (date 2026-06-27)

VersionSourceTypeScoreSeverityVector
3.1416baaa9-dc9f-4396-8d5f-8c081fb06d67Secondary7.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
3.1CNADECLARED7.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v3.1 Breakdown

Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected 60b3013cdaf3fa8a17243ca46b19db3cbe08d943 60af1fd82983c26604102e63a3fcc822c186cceb git Not specified
CNA Linux Linux affected 60b3013cdaf3fa8a17243ca46b19db3cbe08d943 0a57320f71941d4e0b1307453c9a1f0939afe666 git Not specified
CNA Linux Linux affected 60b3013cdaf3fa8a17243ca46b19db3cbe08d943 14147b7963685957839c76ba8094924e22777d79 git Not specified
CNA Linux Linux affected 60b3013cdaf3fa8a17243ca46b19db3cbe08d943 a1288cd700f721c1a119c4f1e8efa234e59caada git Not specified
CNA Linux Linux affected 60b3013cdaf3fa8a17243ca46b19db3cbe08d943 70d86e355c564b5510fde61361df014f5476c83e git Not specified
CNA Linux Linux affected 60b3013cdaf3fa8a17243ca46b19db3cbe08d943 372f33ebed747d91870f57c0a2e62884a870bffa git Not specified
CNA Linux Linux affected 60b3013cdaf3fa8a17243ca46b19db3cbe08d943 bde742b076cbe26ecc89c8c68c76ae076a524d02 git Not specified
CNA Linux Linux affected 60b3013cdaf3fa8a17243ca46b19db3cbe08d943 96d47e40bf9db4a9efd5c8fb53287a508d165f14 git Not specified
CNA Linux Linux affected 2.6.35 Not specified
CNA Linux Linux unaffected 2.6.35 semver Not specified
CNA Linux Linux unaffected 5.10.259 5.10.* semver Not specified
CNA Linux Linux unaffected 5.15.210 5.15.* semver Not specified
CNA Linux Linux unaffected 6.1.176 6.1.* semver Not specified
CNA Linux Linux unaffected 6.6.143 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.94 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.36 6.18.* semver Not specified
CNA Linux Linux unaffected 7.0.13 7.0.* semver Not specified
CNA Linux Linux unaffected 7.1 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/0a57320f71941d4e0b1307453c9a1f0939afe666 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/60af1fd82983c26604102e63a3fcc822c186cceb 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/372f33ebed747d91870f57c0a2e62884a870bffa 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/96d47e40bf9db4a9efd5c8fb53287a508d165f14 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/14147b7963685957839c76ba8094924e22777d79 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/a1288cd700f721c1a119c4f1e8efa234e59caada 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/bde742b076cbe26ecc89c8c68c76ae076a524d02 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/70d86e355c564b5510fde61361df014f5476c83e 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report