7.8
CVE-2026-53194
- EPSS 0.15%
- Veröffentlicht 25.06.2026 08:39:05
- Zuletzt bearbeitet 06.07.2026 12:36:52
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
USB: serial: kl5kusb105: fix bulk-out buffer overflow
In the Linux kernel, the following vulnerability has been resolved:
USB: serial: kl5kusb105: fix bulk-out buffer overflow
klsi_105_prepare_write_buffer() is called by the generic write path
with the bulk-out buffer and its size (bulk_out_size, 64 bytes). It
stores a two-byte length header at the start of the buffer and copies
the payload from the write fifo starting at buf + KLSI_HDR_LEN, but
passes the full buffer size as the number of bytes to copy:
count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN,
size, &port->lock);
When the fifo holds at least size bytes, size bytes are copied starting
two bytes into the size-byte buffer, writing KLSI_HDR_LEN bytes past its
end. Copy at most size - KLSI_HDR_LEN bytes instead, leaving room for
the header as safe_serial already does.
Writing bulk_out_size or more bytes to the tty triggers a slab
out-of-bounds write, observed with KASAN by emulating the device with
dummy_hcd and raw-gadget:
BUG: KASAN: slab-out-of-bounds in kfifo_copy_out+0x83/0xc0
Write of size 64 at addr ffff888112c62202 by task python3
kfifo_copy_out
klsi_105_prepare_write_buffer [kl5kusb105]
usb_serial_generic_write_start [usbserial]
Allocated by task 139:
usb_serial_probe [usbserial]
The buggy address is located 2 bytes inside of allocated 64-byte region
The out-of-bounds write no longer occurs with this change applied.Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linux ≫ Linux Kernel Version >= 2.6.35 < 5.10.259
Linux ≫ Linux Kernel Version >= 5.11 < 5.15.210
Linux ≫ Linux Kernel Version >= 5.16 < 6.1.176
Linux ≫ Linux Kernel Version >= 6.2 < 6.6.143
Linux ≫ Linux Kernel Version >= 6.7 < 6.12.94
Linux ≫ Linux Kernel Version >= 6.13 < 6.18.36
Linux ≫ Linux Kernel Version >= 6.19 < 7.0.13
Linux ≫ Linux Kernel Version7.1 Updaterc1
Linux ≫ Linux Kernel Version7.1 Updaterc2
Linux ≫ Linux Kernel Version7.1 Updaterc3
Linux ≫ Linux Kernel Version7.1 Updaterc4
Linux ≫ Linux Kernel Version7.1 Updaterc5
Linux ≫ Linux Kernel Version7.1 Updaterc6
Linux ≫ Linux Kernel Version7.1 Updaterc7
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.15% | 0.044 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 5.3 | 1 | 4.2 |
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H
|
CWE-787 Out-of-bounds Write
The product writes data past the end, or before the beginning, of the intended buffer.
https://git.kernel.org/stable/c/60af1fd82983c26604102e63a3fcc822c186cceb
https://git.kernel.org/stable/c/0a57320f71941d4e0b1307453c9a1f0939afe666
https://git.kernel.org/stable/c/14147b7963685957839c76ba8094924e22777d79
https://git.kernel.org/stable/c/a1288cd700f721c1a119c4f1e8efa234e59caada
https://git.kernel.org/stable/c/70d86e355c564b5510fde61361df014f5476c83e
https://git.kernel.org/stable/c/372f33ebed747d91870f57c0a2e62884a870bffa
https://git.kernel.org/stable/c/bde742b076cbe26ecc89c8c68c76ae076a524d02
https://git.kernel.org/stable/c/96d47e40bf9db4a9efd5c8fb53287a508d165f14
https://access.redhat.com/security/cve/CVE-2026-53194
https://bugzilla.redhat.com/show_bug.cgi?id=2492703
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-53194.json