In the Linux kernel, the following vulnerability has been resolved:
USB: serial: kl5kusb105: fix bulk-out buffer overflow
klsi105preparewritebuffer() is called by the generic write path with the bulk-out buffer and its size (bulkoutsize, 64 bytes). It stores a two-byte length header at the start of the buffer and copies the payload from the write fifo starting at buf + KLSIHDRLEN, but passes the full buffer size as the number of bytes to copy:
count = kfifooutlocked(&port->writefifo, buf + KLSIHDR_LEN, size, &port->lock);
When the fifo holds at least size bytes, size bytes are copied starting two bytes into the size-byte buffer, writing KLSIHDRLEN bytes past its end. Copy at most size - KLSIHDRLEN bytes instead, leaving room for the header as safe_serial already does.
Writing bulkoutsize or more bytes to the tty triggers a slab out-of-bounds write, observed with KASAN by emulating the device with dummy_hcd and raw-gadget:
BUG: KASAN: slab-out-of-bounds in kfifocopyout+0x83/0xc0 Write of size 64 at addr ffff888112c62202 by task python3 kfifocopyout klsi105preparewritebuffer [kl5kusb105] usbserialgenericwritestart [usbserial] Allocated by task 139: usbserialprobe [usbserial] The buggy address is located 2 bytes inside of allocated 64-byte region
The out-of-bounds write no longer occurs with this change applied.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53194.json",
"cna_assigner": "Linux"
}