CVE-2026-53194

Summary

In the Linux kernel, the following vulnerability has been resolved:

USB: serial: kl5kusb105: fix bulk-out buffer overflow

klsi_105_prepare_write_buffer() is called by the generic write path with the bulk-out buffer and its size (bulk_out_size, 64 bytes). It stores a two-byte length header at the start of the buffer and copies the payload from the write fifo starting at buf + KLSI_HDR_LEN, but passes the full buffer size as the number of bytes to copy:

count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN, size, &port->lock);

When the fifo holds at least size bytes, size bytes are copied starting two bytes into the size-byte buffer, writing KLSI_HDR_LEN bytes past its end. Copy at most size - KLSI_HDR_LEN bytes instead, leaving room for the header as safe_serial already does.

Writing bulk_out_size or more bytes to the tty triggers a slab out-of-bounds write, observed with KASAN by emulating the device with dummy_hcd and raw-gadget:

BUG: KASAN: slab-out-of-bounds in kfifo_copy_out+0x83/0xc0 Write of size 64 at addr ffff888112c62202 by task python3 kfifo_copy_out klsi_105_prepare_write_buffer [kl5kusb105] usb_serial_generic_write_start [usbserial] Allocated by task 139: usb_serial_probe [usbserial] The buggy address is located 2 bytes inside of allocated 64-byte region

The out-of-bounds write no longer occurs with this change applied.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux60b3013cdaf3fa8a17243ca46b19db3cbe08d943 < 60af1fd82983c26604102e63a3fcc822c186ccebaffected
LinuxLinux60b3013cdaf3fa8a17243ca46b19db3cbe08d943 < 0a57320f71941d4e0b1307453c9a1f0939afe666affected
LinuxLinux60b3013cdaf3fa8a17243ca46b19db3cbe08d943 < 14147b7963685957839c76ba8094924e22777d79affected
LinuxLinux60b3013cdaf3fa8a17243ca46b19db3cbe08d943 < a1288cd700f721c1a119c4f1e8efa234e59caadaaffected
LinuxLinux60b3013cdaf3fa8a17243ca46b19db3cbe08d943 < 70d86e355c564b5510fde61361df014f5476c83eaffected
LinuxLinux60b3013cdaf3fa8a17243ca46b19db3cbe08d943 < 372f33ebed747d91870f57c0a2e62884a870bffaaffected
LinuxLinux60b3013cdaf3fa8a17243ca46b19db3cbe08d943 < bde742b076cbe26ecc89c8c68c76ae076a524d02affected
LinuxLinux60b3013cdaf3fa8a17243ca46b19db3cbe08d943 < 96d47e40bf9db4a9efd5c8fb53287a508d165f14affected
LinuxLinux2.6.35affected
LinuxLinux0 < 2.6.35unaffected
LinuxLinux5.10.259 <= 5.10.*unaffected
LinuxLinux5.15.210 <= 5.15.*unaffected
LinuxLinux6.1.176 <= 6.1.*unaffected
LinuxLinux6.6.143 <= 6.6.*unaffected
LinuxLinux6.12.94 <= 6.12.*unaffected
LinuxLinux6.18.36 <= 6.18.*unaffected
LinuxLinux7.0.13 <= 7.0.*unaffected
LinuxLinux7.1 <= *unaffected

Weaknesses

ADP Enrichment

kernel: USB: serial: kl5kusb105: fix bulk-out buffer overflow

Additional References

References