Linux kernel USB serial kl5kusb105 bulk-out buffer overflow fix
CVE-2026-53194 Published on June 25, 2026
USB: serial: kl5kusb105: fix bulk-out buffer overflow
In the Linux kernel, the following vulnerability has been resolved:
USB: serial: kl5kusb105: fix bulk-out buffer overflow
klsi_105_prepare_write_buffer() is called by the generic write path
with the bulk-out buffer and its size (bulk_out_size, 64 bytes). It
stores a two-byte length header at the start of the buffer and copies
the payload from the write fifo starting at buf + KLSI_HDR_LEN, but
passes the full buffer size as the number of bytes to copy:
count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN,
size, &port->lock);
When the fifo holds at least size bytes, size bytes are copied starting
two bytes into the size-byte buffer, writing KLSI_HDR_LEN bytes past its
end. Copy at most size - KLSI_HDR_LEN bytes instead, leaving room for
the header as safe_serial already does.
Writing bulk_out_size or more bytes to the tty triggers a slab
out-of-bounds write, observed with KASAN by emulating the device with
dummy_hcd and raw-gadget:
BUG: KASAN: slab-out-of-bounds in kfifo_copy_out+0x83/0xc0
Write of size 64 at addr ffff888112c62202 by task python3
kfifo_copy_out
klsi_105_prepare_write_buffer [kl5kusb105]
usb_serial_generic_write_start [usbserial]
Allocated by task 139:
usb_serial_probe [usbserial]
The buggy address is located 2 bytes inside of allocated 64-byte region
The out-of-bounds write no longer occurs with this change applied.
Vulnerability Analysis
CVE-2026-53194 is exploitable with local system access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is a Memory Corruption Vulnerability?
The software writes data past the end, or before the beginning, of the intended buffer. Typically, this can result in corruption of data, a crash, or code execution. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results.
CVE-2026-53194 has been classified to as a Memory Corruption vulnerability or weakness.
Products Associated with CVE-2026-53194
stack.watch emails you whenever new vulnerabilities are published in Linux Kernel or Red Hat Enterprise Linux (RHEL). Just hit a watch button to start following.
Affected Versions
Linux:- Version 60b3013cdaf3fa8a17243ca46b19db3cbe08d943 and below 60af1fd82983c26604102e63a3fcc822c186cceb is affected.
- Version 60b3013cdaf3fa8a17243ca46b19db3cbe08d943 and below 0a57320f71941d4e0b1307453c9a1f0939afe666 is affected.
- Version 60b3013cdaf3fa8a17243ca46b19db3cbe08d943 and below 14147b7963685957839c76ba8094924e22777d79 is affected.
- Version 60b3013cdaf3fa8a17243ca46b19db3cbe08d943 and below a1288cd700f721c1a119c4f1e8efa234e59caada is affected.
- Version 60b3013cdaf3fa8a17243ca46b19db3cbe08d943 and below 70d86e355c564b5510fde61361df014f5476c83e is affected.
- Version 60b3013cdaf3fa8a17243ca46b19db3cbe08d943 and below 372f33ebed747d91870f57c0a2e62884a870bffa is affected.
- Version 60b3013cdaf3fa8a17243ca46b19db3cbe08d943 and below bde742b076cbe26ecc89c8c68c76ae076a524d02 is affected.
- Version 60b3013cdaf3fa8a17243ca46b19db3cbe08d943 and below 96d47e40bf9db4a9efd5c8fb53287a508d165f14 is affected.
- Version 2.6.35 is affected.
- Before 2.6.35 is unaffected.
- Version 5.10.259, <= 5.10.* is unaffected.
- Version 5.15.210, <= 5.15.* is unaffected.
- Version 6.1.176, <= 6.1.* is unaffected.
- Version 6.6.143, <= 6.6.* is unaffected.
- Version 6.12.94, <= 6.12.* is unaffected.
- Version 6.18.36, <= 6.18.* is unaffected.
- Version 7.0.13, <= 7.0.* is unaffected.
- Version 7.1, <= * is unaffected.