Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local-only via writable tty device (AV:L, PR:L), no interaction, and kernel slab corruption justifies high CIA in the worst case (S:U).
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
USB: serial: kl5kusb105: fix bulk-out buffer overflow
klsi_105_prepare_write_buffer() is called by the generic write path with the bulk-out buffer and its size (bulk_out_size, 64 bytes). It stores a two-byte length header at the start of the buffer and copies the payload from the write fifo starting at buf + KLSI_HDR_LEN, but passes the full buffer size as the number of bytes to copy:
count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN, size, &port->lock);
When the fifo holds at least size bytes, size bytes are copied starting two bytes into the size-byte buffer, writing KLSI_HDR_LEN bytes past its end. Copy at most size - KLSI_HDR_LEN bytes instead, leaving room for the header as safe_serial already does.
Writing bulk_out_size or more bytes to the tty triggers a slab out-of-bounds write, observed with KASAN by emulating the device with dummy_hcd and raw-gadget:
BUG: KASAN: slab-out-of-bounds in kfifo_copy_out+0x83/0xc0 Write of size 64 at addr ffff888112c62202 by task python3 kfifo_copy_out klsi_105_prepare_write_buffer [kl5kusb105] usb_serial_generic_write_start [usbserial] Allocated by task 139: usb_serial_probe [usbserial] The buggy address is located 2 bytes inside of allocated 64-byte region
The out-of-bounds write no longer occurs with this change applied.
AnalysisAI
Heap out-of-bounds write in the Linux kernel's USB serial driver for KL5KUSB105-based adapters (kl5kusb105) lets a write to an attached tty corrupt slab memory two bytes past a 64-byte bulk-out buffer. The flaw is in klsi_105_prepare_write_buffer(), which reserves a two-byte length header but still copies the full buffer size from the write FIFO, overrunning the allocation by KLSI_HDR_LEN (2) bytes. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) a vulnerable KLSI KL5KUSB105 USB-to-serial adapter physically present or emulated via a USB gadget such as raw-gadget/dummy_hcd, (2) the kl5kusb105 driver compiled and loaded, and (3) local write access to the adapter's tty device so the attacker can push bulk_out_size (64) or more bytes through the write FIFO - that volume is the exact trigger for the kfifo_out_locked() over-copy. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are broadly consistent and point to a real-but-low-priority hardening fix rather than an urgent threat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with local access and write permission to the serial device node attaches (or has already attached) a KL5KUSB105-based USB-serial adapter, then writes 64 or more bytes to the tty, causing klsi_105_prepare_write_buffer() to overflow the 64-byte bulk-out slab buffer by two bytes and corrupt adjacent kernel heap memory. No public exploit is identified at time of analysis; the issue was reproduced only with KASAN using dummy_hcd and raw-gadget emulation, and weaponizing the 2-byte overflow into privilege escalation would require additional heap-grooming work. |
| Remediation | Vendor-released patch: update to a fixed Linux kernel - 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 7.0.13, 6.18.36, or mainline 7.1 (apply the build matching your stable series), as listed in EUVD-2026-39285 and the kernel.org stable commits referenced from https://nvd.nist.gov/vuln/detail/CVE-2026-53194. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all systems deploying KL5KUSB105 USB serial adapters and document their business criticality. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39285
GHSA-wwc5-7r8x-52gg