GHSA-WWC5-7R8X-52GG
Vulnerability from github – Published: 2026-06-25 09:31 – Updated: 2026-06-30 03:37In the Linux kernel, the following vulnerability has been resolved:
USB: serial: kl5kusb105: fix bulk-out buffer overflow
klsi_105_prepare_write_buffer() is called by the generic write path with the bulk-out buffer and its size (bulk_out_size, 64 bytes). It stores a two-byte length header at the start of the buffer and copies the payload from the write fifo starting at buf + KLSI_HDR_LEN, but passes the full buffer size as the number of bytes to copy:
count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN, size, &port->lock);
When the fifo holds at least size bytes, size bytes are copied starting two bytes into the size-byte buffer, writing KLSI_HDR_LEN bytes past its end. Copy at most size - KLSI_HDR_LEN bytes instead, leaving room for the header as safe_serial already does.
Writing bulk_out_size or more bytes to the tty triggers a slab out-of-bounds write, observed with KASAN by emulating the device with dummy_hcd and raw-gadget:
BUG: KASAN: slab-out-of-bounds in kfifo_copy_out+0x83/0xc0 Write of size 64 at addr ffff888112c62202 by task python3 kfifo_copy_out klsi_105_prepare_write_buffer [kl5kusb105] usb_serial_generic_write_start [usbserial] Allocated by task 139: usb_serial_probe [usbserial] The buggy address is located 2 bytes inside of allocated 64-byte region
The out-of-bounds write no longer occurs with this change applied.
{
"affected": [],
"aliases": [
"CVE-2026-53194"
],
"database_specific": {
"cwe_ids": [
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-25T09:16:36Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: serial: kl5kusb105: fix bulk-out buffer overflow\n\nklsi_105_prepare_write_buffer() is called by the generic write path\nwith the bulk-out buffer and its size (bulk_out_size, 64 bytes). It\nstores a two-byte length header at the start of the buffer and copies\nthe payload from the write fifo starting at buf + KLSI_HDR_LEN, but\npasses the full buffer size as the number of bytes to copy:\n\n count = kfifo_out_locked(\u0026port-\u003ewrite_fifo, buf + KLSI_HDR_LEN,\n size, \u0026port-\u003elock);\n\nWhen the fifo holds at least size bytes, size bytes are copied starting\ntwo bytes into the size-byte buffer, writing KLSI_HDR_LEN bytes past its\nend. Copy at most size - KLSI_HDR_LEN bytes instead, leaving room for\nthe header as safe_serial already does.\n\nWriting bulk_out_size or more bytes to the tty triggers a slab\nout-of-bounds write, observed with KASAN by emulating the device with\ndummy_hcd and raw-gadget:\n\n BUG: KASAN: slab-out-of-bounds in kfifo_copy_out+0x83/0xc0\n Write of size 64 at addr ffff888112c62202 by task python3\n kfifo_copy_out\n klsi_105_prepare_write_buffer [kl5kusb105]\n usb_serial_generic_write_start [usbserial]\n Allocated by task 139:\n usb_serial_probe [usbserial]\n The buggy address is located 2 bytes inside of allocated 64-byte region\n\nThe out-of-bounds write no longer occurs with this change applied.",
"id": "GHSA-wwc5-7r8x-52gg",
"modified": "2026-06-30T03:37:13Z",
"published": "2026-06-25T09:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53194"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-53194"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492703"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0a57320f71941d4e0b1307453c9a1f0939afe666"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/14147b7963685957839c76ba8094924e22777d79"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/372f33ebed747d91870f57c0a2e62884a870bffa"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/60af1fd82983c26604102e63a3fcc822c186cceb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/70d86e355c564b5510fde61361df014f5476c83e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/96d47e40bf9db4a9efd5c8fb53287a508d165f14"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a1288cd700f721c1a119c4f1e8efa234e59caada"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bde742b076cbe26ecc89c8c68c76ae076a524d02"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-53194.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.