Skip to main content

Linux Kernel EUVDEUVD-2026-39285

| CVE-2026-53194 HIGH
Out-of-bounds Write (CWE-787)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-wwc5-7r8x-52gg
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local-only via writable tty device (AV:L, PR:L), no interaction, and kernel slab corruption justifies high CIA in the worst case (S:U).

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:29 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

USB: serial: kl5kusb105: fix bulk-out buffer overflow

klsi_105_prepare_write_buffer() is called by the generic write path with the bulk-out buffer and its size (bulk_out_size, 64 bytes). It stores a two-byte length header at the start of the buffer and copies the payload from the write fifo starting at buf + KLSI_HDR_LEN, but passes the full buffer size as the number of bytes to copy:

count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN, size, &port->lock);

When the fifo holds at least size bytes, size bytes are copied starting two bytes into the size-byte buffer, writing KLSI_HDR_LEN bytes past its end. Copy at most size - KLSI_HDR_LEN bytes instead, leaving room for the header as safe_serial already does.

Writing bulk_out_size or more bytes to the tty triggers a slab out-of-bounds write, observed with KASAN by emulating the device with dummy_hcd and raw-gadget:

BUG: KASAN: slab-out-of-bounds in kfifo_copy_out+0x83/0xc0 Write of size 64 at addr ffff888112c62202 by task python3 kfifo_copy_out klsi_105_prepare_write_buffer [kl5kusb105] usb_serial_generic_write_start [usbserial] Allocated by task 139: usb_serial_probe [usbserial] The buggy address is located 2 bytes inside of allocated 64-byte region

The out-of-bounds write no longer occurs with this change applied.

AnalysisAI

Heap out-of-bounds write in the Linux kernel's USB serial driver for KL5KUSB105-based adapters (kl5kusb105) lets a write to an attached tty corrupt slab memory two bytes past a 64-byte bulk-out buffer. The flaw is in klsi_105_prepare_write_buffer(), which reserves a two-byte length header but still copies the full buffer size from the write FIFO, overrunning the allocation by KLSI_HDR_LEN (2) bytes. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local write access to KLSI tty
Delivery
Attach or emulate KL5KUSB105 adapter
Exploit
Write ≥64 bytes to write FIFO
Execution
Trigger over-copy in klsi_105_prepare_write_buffer
Persist
Overflow 64-byte bulk-out slab buffer
Impact
Corrupt adjacent kernel heap memory

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) a vulnerable KLSI KL5KUSB105 USB-to-serial adapter physically present or emulated via a USB gadget such as raw-gadget/dummy_hcd, (2) the kl5kusb105 driver compiled and loaded, and (3) local write access to the adapter's tty device so the attacker can push bulk_out_size (64) or more bytes through the write FIFO - that volume is the exact trigger for the kfifo_out_locked() over-copy. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are broadly consistent and point to a real-but-low-priority hardening fix rather than an urgent threat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with local access and write permission to the serial device node attaches (or has already attached) a KL5KUSB105-based USB-serial adapter, then writes 64 or more bytes to the tty, causing klsi_105_prepare_write_buffer() to overflow the 64-byte bulk-out slab buffer by two bytes and corrupt adjacent kernel heap memory. No public exploit is identified at time of analysis; the issue was reproduced only with KASAN using dummy_hcd and raw-gadget emulation, and weaponizing the 2-byte overflow into privilege escalation would require additional heap-grooming work.
Remediation Vendor-released patch: update to a fixed Linux kernel - 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 7.0.13, 6.18.36, or mainline 7.1 (apply the build matching your stable series), as listed in EUVD-2026-39285 and the kernel.org stable commits referenced from https://nvd.nist.gov/vuln/detail/CVE-2026-53194. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems deploying KL5KUSB105 USB serial adapters and document their business criticality. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39285 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy