CVE-2026-53194
Received Received - Intake
USB: serial: kl5kusb105 bulk-out buffer overflow fix

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: USB: serial: kl5kusb105: fix bulk-out buffer overflow klsi_105_prepare_write_buffer() is called by the generic write path with the bulk-out buffer and its size (bulk_out_size, 64 bytes). It stores a two-byte length header at the start of the buffer and copies the payload from the write fifo starting at buf + KLSI_HDR_LEN, but passes the full buffer size as the number of bytes to copy: count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN, size, &port->lock); When the fifo holds at least size bytes, size bytes are copied starting two bytes into the size-byte buffer, writing KLSI_HDR_LEN bytes past its end. Copy at most size - KLSI_HDR_LEN bytes instead, leaving room for the header as safe_serial already does. Writing bulk_out_size or more bytes to the tty triggers a slab out-of-bounds write, observed with KASAN by emulating the device with dummy_hcd and raw-gadget: BUG: KASAN: slab-out-of-bounds in kfifo_copy_out+0x83/0xc0 Write of size 64 at addr ffff888112c62202 by task python3 kfifo_copy_out klsi_105_prepare_write_buffer [kl5kusb105] usb_serial_generic_write_start [usbserial] Allocated by task 139: usb_serial_probe [usbserial] The buggy address is located 2 bytes inside of allocated 64-byte region The out-of-bounds write no longer occurs with this change applied.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53194
EUVD
EUVD-2026-39285
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a buffer overflow issue in the Linux kernel's USB serial driver for the kl5kusb105 device. Specifically, the function klsi_105_prepare_write_buffer incorrectly copies data into a bulk-out buffer by using the full buffer size instead of accounting for a two-byte header. This causes the function to write beyond the allocated buffer boundary, leading to an out-of-bounds write.

When the write operation attempts to write bulk_out_size (64 bytes) or more, it overwrites memory past the buffer's end, which was detected by the Kernel Address Sanitizer (KASAN). The issue is fixed by adjusting the copy size to leave room for the header, preventing the overflow.

Impact Analysis

This vulnerability can cause a slab out-of-bounds write in kernel memory when writing data to the affected USB serial device. Such memory corruption can lead to system instability, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges.

The impact depends on whether the vulnerable driver is used and if an attacker can trigger the overflow by writing sufficient data to the device. Exploiting this could compromise system security and reliability.

Detection Guidance

This vulnerability involves a bulk-out buffer overflow in the kl5kusb105 USB serial driver in the Linux kernel, which can be detected by observing slab out-of-bounds write errors triggered by writing bulk_out_size or more bytes to the tty device.

Detection can be performed by monitoring kernel logs for KASAN (Kernel Address Sanitizer) reports indicating slab-out-of-bounds errors related to kfifo_copy_out or kl5kusb105.

Suggested commands include checking dmesg or journalctl logs for relevant error messages, for example:

  • dmesg | grep -i 'kfifo_copy_out'
  • journalctl -k | grep -i 'kl5kusb105'
  • journalctl -k | grep -i 'slab-out-of-bounds'

Additionally, attempting to write bulk_out_size (64 bytes) or more to the affected tty device may reproduce the issue if the system is vulnerable.

Mitigation Strategies

The vulnerability has been resolved by correcting the buffer copy size in the kl5kusb105 USB serial driver to prevent out-of-bounds writes.

Immediate mitigation steps include updating the Linux kernel to a version that contains the fix for this vulnerability.

Until the update can be applied, avoid writing bulk_out_size (64 bytes) or more to the affected tty devices associated with kl5kusb105 to prevent triggering the buffer overflow.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53194. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart