CVE-2026-53194

Source
https://cve.org/CVERecord?id=CVE-2026-53194
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53194.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53194
Downstream
Related
Published
2026-06-25T08:39:05.017Z
Modified
2026-07-08T08:09:46.622657905Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
USB: serial: kl5kusb105: fix bulk-out buffer overflow
Details

In the Linux kernel, the following vulnerability has been resolved:

USB: serial: kl5kusb105: fix bulk-out buffer overflow

klsi105preparewritebuffer() is called by the generic write path with the bulk-out buffer and its size (bulkoutsize, 64 bytes). It stores a two-byte length header at the start of the buffer and copies the payload from the write fifo starting at buf + KLSIHDRLEN, but passes the full buffer size as the number of bytes to copy:

count = kfifooutlocked(&port->writefifo, buf + KLSIHDR_LEN, size, &port->lock);

When the fifo holds at least size bytes, size bytes are copied starting two bytes into the size-byte buffer, writing KLSIHDRLEN bytes past its end. Copy at most size - KLSIHDRLEN bytes instead, leaving room for the header as safe_serial already does.

Writing bulkoutsize or more bytes to the tty triggers a slab out-of-bounds write, observed with KASAN by emulating the device with dummy_hcd and raw-gadget:

BUG: KASAN: slab-out-of-bounds in kfifocopyout+0x83/0xc0 Write of size 64 at addr ffff888112c62202 by task python3 kfifocopyout klsi105preparewritebuffer [kl5kusb105] usbserialgenericwritestart [usbserial] Allocated by task 139: usbserialprobe [usbserial] The buggy address is located 2 bytes inside of allocated 64-byte region

The out-of-bounds write no longer occurs with this change applied.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53194.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
60b3013cdaf3fa8a17243ca46b19db3cbe08d943
Fixed
60af1fd82983c26604102e63a3fcc822c186cceb
Fixed
0a57320f71941d4e0b1307453c9a1f0939afe666
Fixed
14147b7963685957839c76ba8094924e22777d79
Fixed
a1288cd700f721c1a119c4f1e8efa234e59caada
Fixed
70d86e355c564b5510fde61361df014f5476c83e
Fixed
372f33ebed747d91870f57c0a2e62884a870bffa
Fixed
bde742b076cbe26ecc89c8c68c76ae076a524d02
Fixed
96d47e40bf9db4a9efd5c8fb53287a508d165f14

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53194.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.6.35
Fixed
5.10.259
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.210
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.176
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.143
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.94
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.36
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.13

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53194.json"