CVE-2026-53194

EUVD-2026-39285

25.06.2026, 09:16

In the Linux kernel, the following vulnerability has been resolved:

USB: serial: kl5kusb105: fix bulk-out buffer overflow

klsi_105_prepare_write_buffer() is called by the generic write path
with the bulk-out buffer and its size (bulk_out_size, 64 bytes). It
stores a two-byte length header at the start of the buffer and copies
the payload from the write fifo starting at buf + KLSI_HDR_LEN, but
passes the full buffer size as the number of bytes to copy:

  count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN,
                           size, &port->lock);

When the fifo holds at least size bytes, size bytes are copied starting
two bytes into the size-byte buffer, writing KLSI_HDR_LEN bytes past its
end. Copy at most size - KLSI_HDR_LEN bytes instead, leaving room for
the header as safe_serial already does.

Writing bulk_out_size or more bytes to the tty triggers a slab
out-of-bounds write, observed with KASAN by emulating the device with
dummy_hcd and raw-gadget:

  BUG: KASAN: slab-out-of-bounds in kfifo_copy_out+0x83/0xc0
  Write of size 64 at addr ffff888112c62202 by task python3
   kfifo_copy_out
   klsi_105_prepare_write_buffer [kl5kusb105]
   usb_serial_generic_write_start [usbserial]
  Allocated by task 139:
   usb_serial_probe [usbserial]
  The buggy address is located 2 bytes inside of allocated 64-byte region

The out-of-bounds write no longer occurs with this change applied.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	UNKNOWN				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 9%

Debian Releases

Debian Product

Codename

linux

bookworm	vulnerable
bookworm (security)	vulnerable
bullseye	vulnerable
bullseye (security)	vulnerable
forky	vulnerable
sid	7.0.13-1 fixed
trixie	vulnerable
trixie (security)	6.12.94-1 fixed

Vulnerability Media Exposure

[GERMAN] Linux Kernel: Mehrere Schwachstellen
Ein entfernter Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um Sicherheitsvorkehrungen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen und weitere, nicht näher spezifizierte Auswirkungen zu erzielen.
Published: 2026-06-24T22:00:00+00:00

References

https://git.kernel.org/stable/c/0a57320f71941d4e0b1307453c9a1f0939afe666

https://git.kernel.org/stable/c/14147b7963685957839c76ba8094924e22777d79

https://git.kernel.org/stable/c/372f33ebed747d91870f57c0a2e62884a870bffa

https://git.kernel.org/stable/c/60af1fd82983c26604102e63a3fcc822c186cceb

https://git.kernel.org/stable/c/70d86e355c564b5510fde61361df014f5476c83e

https://git.kernel.org/stable/c/96d47e40bf9db4a9efd5c8fb53287a508d165f14

https://git.kernel.org/stable/c/a1288cd700f721c1a119c4f1e8efa234e59caada

https://git.kernel.org/stable/c/bde742b076cbe26ecc89c8c68c76ae076a524d02