CVE Catalog

CVE-2026-53194

HighCVSS 7.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.15%

4th percentile — higher than 4% of all known CVEs

Summary

A buffer overflow vulnerability was found in the kl5kusb105 USB serial driver in the Linux kernel. The klsi_105_prepare_write_buffer() function copies data from the fifo into a 64-byte buffer without accounting for the two-byte header, causing an out-of-bounds write. The issue was observed by KASAN during device emulation.

Risk Assessment

An attacker could exploit this vulnerability to write beyond the buffer boundaries, potentially causing a kernel panic or privilege escalation. The risk is especially relevant in environments with USB devices using this driver.

Recommendation

Immediately update the Linux kernel to a version containing the fix that limits copying to size - KLSI_HDR_LEN bytes. If an update is not possible, temporarily disable support for USB devices using the kl5kusb105 driver.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: USB: serial: kl5kusb105: fix bulk-out buffer overflow klsi_105_prepare_write_buffer() is called by the generic write path with the bulk-out buffer and its size (bulk_out_size, 64 bytes). It stores a two-byte length header at the start of the buffer and copies the payload from the write fifo starting at buf + KLSI_HDR_LEN, but passes the full buffer size as the number of bytes to copy: count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN, size, &port->lock); When the fifo holds at least size bytes, size bytes are copied starting two bytes into the size-byte buffer, writing KLSI_HDR_LEN bytes past its end. Copy at most size - KLSI_HDR_LEN bytes instead, leaving room for the header as safe_serial already does. Writing bulk_out_size or more bytes to the tty triggers a slab out-of-bounds write, observed with KASAN by emulating the device with dummy_hcd and raw-gadget: BUG: KASAN: slab-out-of-bounds in kfifo_copy_out+0x83/0xc0 Write of size 64 at addr ffff888112c62202 by task python3 kfifo_copy_out klsi_105_prepare_write_buffer [kl5kusb105] usb_serial_generic_write_start [usbserial] Allocated by task 139: usb_serial_probe [usbserial] The buggy address is located 2 bytes inside of allocated 64-byte region The out-of-bounds write no longer occurs with this change applied.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS