Description
In the Linux kernel, the following vulnerability has been resolved:

USB: serial: kl5kusb105: fix bulk-out buffer overflow

klsi_105_prepare_write_buffer() is called by the generic write path
with the bulk-out buffer and its size (bulk_out_size, 64 bytes). It
stores a two-byte length header at the start of the buffer and copies
the payload from the write fifo starting at buf + KLSI_HDR_LEN, but
passes the full buffer size as the number of bytes to copy:

count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN,
size, &port->lock);

When the fifo holds at least size bytes, size bytes are copied starting
two bytes into the size-byte buffer, writing KLSI_HDR_LEN bytes past its
end. Copy at most size - KLSI_HDR_LEN bytes instead, leaving room for
the header as safe_serial already does.

Writing bulk_out_size or more bytes to the tty triggers a slab
out-of-bounds write, observed with KASAN by emulating the device with
dummy_hcd and raw-gadget:

BUG: KASAN: slab-out-of-bounds in kfifo_copy_out+0x83/0xc0
Write of size 64 at addr ffff888112c62202 by task python3
kfifo_copy_out
klsi_105_prepare_write_buffer [kl5kusb105]
usb_serial_generic_write_start [usbserial]
Allocated by task 139:
usb_serial_probe [usbserial]
The buggy address is located 2 bytes inside of allocated 64-byte region

The out-of-bounds write no longer occurs with this change applied.
Published: 2026-06-25
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A buffer overflow in the Linux kl5kusb105 USB serial driver allows an attacker to write beyond the bounds of a 64‑byte bulk‑out buffer. The driver copies payload data directly into the buffer, ignoring the header space, which results in a slab out‑of‑bounds write as confirmed by KASAN. If an attacker sends 64 or more bytes to the device, the kernel may corrupt arbitrary memory, potentially enabling a local privilege escalation or denial of service on the host system.

Affected Systems

The flaw affects the Linux kernel’s kl5kusb105 USB serial driver, but no specific kernel version numbers are listed. Any system whose kernel includes this driver and has not yet incorporated the fix is potentially vulnerable. The vendor is Linux and the product is the Linux kernel.

Risk and Exploitability

The CVSS score is not provided, and EPSS data is unavailable, so the probability of exploitation cannot be quantified. The vulnerability is listed as not part of the CISA KEV catalog. It is likely exploitable only from a local machine that can influence traffic to the USB serial device; however, once triggered, the flaw can corrupt kernel memory with serious consequences. The risk level is moderate to high for affected environments where the driver is active and the device is exposed to untrusted input.

Generated by OpenCVE AI on June 25, 2026 at 10:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that contains the commit fixing the bulk‑out buffer overflow.
  • If an immediate kernel update is not possible, disable or unload the kl5kusb105 driver (modprobe -r kl5kusb105).
  • Restrict access to USB ports or filter USB traffic to only trusted devices, and monitor the system for KASAN or driver errors.
  • Apply any vendor‑supplied security advisories or patches that reference this issue if the kernel update cannot be performed promptly.

Generated by OpenCVE AI on June 25, 2026 at 10:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: USB: serial: kl5kusb105: fix bulk-out buffer overflow klsi_105_prepare_write_buffer() is called by the generic write path with the bulk-out buffer and its size (bulk_out_size, 64 bytes). It stores a two-byte length header at the start of the buffer and copies the payload from the write fifo starting at buf + KLSI_HDR_LEN, but passes the full buffer size as the number of bytes to copy: count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN, size, &port->lock); When the fifo holds at least size bytes, size bytes are copied starting two bytes into the size-byte buffer, writing KLSI_HDR_LEN bytes past its end. Copy at most size - KLSI_HDR_LEN bytes instead, leaving room for the header as safe_serial already does. Writing bulk_out_size or more bytes to the tty triggers a slab out-of-bounds write, observed with KASAN by emulating the device with dummy_hcd and raw-gadget: BUG: KASAN: slab-out-of-bounds in kfifo_copy_out+0x83/0xc0 Write of size 64 at addr ffff888112c62202 by task python3 kfifo_copy_out klsi_105_prepare_write_buffer [kl5kusb105] usb_serial_generic_write_start [usbserial] Allocated by task 139: usb_serial_probe [usbserial] The buggy address is located 2 bytes inside of allocated 64-byte region The out-of-bounds write no longer occurs with this change applied.
Title USB: serial: kl5kusb105: fix bulk-out buffer overflow
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:39:05.017Z

Reserved: 2026-06-09T07:44:35.390Z

Link: CVE-2026-53194

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T11:00:11Z

Weaknesses
  • CWE-122

    Heap-based Buffer Overflow