CVE-2026-53194

In the Linux kernel, the following vulnerability has been resolved:

USB: serial: kl5kusb105: fix bulk-out buffer overflow

klsi 105 prepare write buffer() is called by the generic write path with the bulk-out buffer and its size (bulk out size, 64 bytes). It stores a two-byte length header at the start of the buffer and copies the payload from the write fifo starting at buf + KLSI HDR LEN, but passes the full buffer size as the number of bytes to copy:

count = kfifo out locked(&port->write fifo, buf + KLSI HDR LEN, size, &port->lock);

When the fifo holds at least size bytes, size bytes are copied starting two bytes into the size-byte buffer, writing KLSI HDR LEN bytes past its end. Copy at most size - KLSI HDR LEN bytes instead, leaving room for the header as safe serial already does.

Writing bulk out size or more bytes to the tty triggers a slab out-of-bounds write, observed with KASAN by emulating the device with dummy hcd and raw-gadget:

BUG: KASAN: slab-out-of-bounds in kfifo copy out+0x83/0xc0 Write of size 64 at addr ffff888112c62202 by task python3 kfifo copy out klsi 105 prepare write buffer [kl5kusb105] usb serial generic write start [usbserial] Allocated by task 139: usb serial probe [usbserial] The buggy address is located 2 bytes inside of allocated 64-byte region

The out-of-bounds write no longer occurs with this change applied.