Description
In the Linux kernel, the following vulnerability has been resolved:

USB: serial: kl5kusb105: fix bulk-out buffer overflow

klsi_105_prepare_write_buffer() is called by the generic write path
with the bulk-out buffer and its size (bulk_out_size, 64 bytes). It
stores a two-byte length header at the start of the buffer and copies
the payload from the write fifo starting at buf + KLSI_HDR_LEN, but
passes the full buffer size as the number of bytes to copy:

count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN,
size, &port->lock);

When the fifo holds at least size bytes, size bytes are copied starting
two bytes into the size-byte buffer, writing KLSI_HDR_LEN bytes past its
end. Copy at most size - KLSI_HDR_LEN bytes instead, leaving room for
the header as safe_serial already does.

Writing bulk_out_size or more bytes to the tty triggers a slab
out-of-bounds write, observed with KASAN by emulating the device with
dummy_hcd and raw-gadget:

BUG: KASAN: slab-out-of-bounds in kfifo_copy_out+0x83/0xc0
Write of size 64 at addr ffff888112c62202 by task python3
kfifo_copy_out
klsi_105_prepare_write_buffer [kl5kusb105]
usb_serial_generic_write_start [usbserial]
Allocated by task 139:
usb_serial_probe [usbserial]
The buggy address is located 2 bytes inside of allocated 64-byte region

The out-of-bounds write no longer occurs with this change applied.
Published: 2026-06-25
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A bulk‑out buffer overflow flaw in the Linux kl5kusb105 USB serial driver allows a local attacker to write beyond the bounds of a 64‑byte buffer. The driver copies payload data into the buffer without accounting for a two‑byte header, resulting in a slab out‑of‑bounds write that can corrupt kernel memory. Such memory corruption can provide an attacker with the ability to execute arbitrary code with kernel privileges.

Affected Systems

The issue affects the kl5kusb105 USB serial driver in the Linux kernel. Any system running a kernel that has not incorporated the commit fixing the overflow is potentially vulnerable. No specific kernel version numbers are listed, so all releases containing the driver before the patch are at risk.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity vulnerability, while the EPSS score of <1% shows a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local, requiring an attacker to interface with the USB serial device and transmit 64 or more bytes of data through the bulk‑out endpoint. Once triggered, the overflow can corrupt kernel memory, potentially allowing privilege escalation. The exploitability is limited to environments where the vulnerable driver is loaded and accessible.

Generated by OpenCVE AI on June 28, 2026 at 14:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the commit fixing the bulk‑out buffer overflow.
  • If a kernel update is not immediately possible, unload or disable the kl5kusb105 driver (for example, run 'modprobe -r kl5kusb105').
  • Restrict USB port usage or filter traffic so that only trusted USB devices can communicate with the system, and monitor for driver errors or memory corruption reports.

Generated by OpenCVE AI on June 28, 2026 at 14:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Fri, 26 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122

Fri, 26 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important


Thu, 25 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: USB: serial: kl5kusb105: fix bulk-out buffer overflow klsi_105_prepare_write_buffer() is called by the generic write path with the bulk-out buffer and its size (bulk_out_size, 64 bytes). It stores a two-byte length header at the start of the buffer and copies the payload from the write fifo starting at buf + KLSI_HDR_LEN, but passes the full buffer size as the number of bytes to copy: count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN, size, &port->lock); When the fifo holds at least size bytes, size bytes are copied starting two bytes into the size-byte buffer, writing KLSI_HDR_LEN bytes past its end. Copy at most size - KLSI_HDR_LEN bytes instead, leaving room for the header as safe_serial already does. Writing bulk_out_size or more bytes to the tty triggers a slab out-of-bounds write, observed with KASAN by emulating the device with dummy_hcd and raw-gadget: BUG: KASAN: slab-out-of-bounds in kfifo_copy_out+0x83/0xc0 Write of size 64 at addr ffff888112c62202 by task python3 kfifo_copy_out klsi_105_prepare_write_buffer [kl5kusb105] usb_serial_generic_write_start [usbserial] Allocated by task 139: usb_serial_probe [usbserial] The buggy address is located 2 bytes inside of allocated 64-byte region The out-of-bounds write no longer occurs with this change applied.
Title USB: serial: kl5kusb105: fix bulk-out buffer overflow
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-07-15T00:44:36.635Z

Reserved: 2026-06-09T07:44:35.390Z

Link: CVE-2026-53194

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53194 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T14:45:17Z

Weaknesses