CVE-2023-53213

HIGH EPSS 4.7%
Published Sep 15, 20259mo ago · Modified Jun 17, 20261w ago
7.1 CVSS 3.1
High
Find Similar
Published Sep 15, 2025 9mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies() Fix a slab-out-of-bounds read that occurs in kmemdup() called from brcmf_get_assoc_ies(). The bug could occur when assoc_info->req_len, data from a URB provided by a USB device, is bigger than the size of buffer which is defined as WL_EXTRA_BUF_MAX. Add the size check for req_len/resp_len of assoc_info. Found by a modified version of syzkaller. [ 46.592467][ T7] ================================================================== [ 46.594687][ T7] BUG: KASAN: slab-out-of-bounds in kmemdup+0x3e/0x50 [ 46.596572][ T7] Read of size 3014656 at addr ffff888019442000 by task kworker/0:1/7 [ 46.598575][ T7] [ 46.599157][ T7] CPU: 0 PID: 7 Comm: kworker/0:1 Tainted: G O 5.14.0+ #145 [ 46.601333][ T7] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 [ 46.604360][ T7] Workqueue: events brcmf_fweh_event_worker [ 46.605943][ T7] Call Trace: [ 46.606584][ T7] dump_stack_lvl+0x8e/0xd1 [ 46.607446][ T7] print_address_description.constprop.0.cold+0x93/0x334 [ 46.608610][ T7] ? kmemdup+0x3e/0x50 [ 46.609341][ T7] kasan_report.cold+0x79/0xd5 [ 46.610151][ T7] ? kmemdup+0x3e/0x50 [ 46.610796][ T7] kasan_check_range+0x14e/0x1b0 [ 46.611691][ T7] memcpy+0x20/0x60 [ 46.612323][ T7] kmemdup+0x3e/0x50 [ 46.612987][ T7] brcmf_get_assoc_ies+0x967/0xf60 [ 46.613904][ T7] ? brcmf_notify_vif_event+0x3d0/0x3d0 [ 46.614831][ T7] ? lock_chain_count+0x20/0x20 [ 46.615683][ T7] ? mark_lock.part.0+0xfc/0x2770 [ 46.616552][ T7] ? lock_chain_count+0x20/0x20 [ 46.617409][ T7] ? mark_lock.part.0+0xfc/0x2770 [ 46.618244][ T7] ? lock_chain_count+0x20/0x20 [ 46.619024][ T7] brcmf_bss_connect_done.constprop.0+0x241/0x2e0 [ 46.620019][ T7] ? brcmf_parse_configure_security.isra.0+0x2a0/0x2a0 [ 46.620818][ T7] ? __lock_acquire+0x181f/0x5790 [ 46.621462][ T7] brcmf_notify_connect_status+0x448/0x1950 [ 46.622134][ T7] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 46.622736][ T7] ? brcmf_cfg80211_join_ibss+0x7b0/0x7b0 [ 46.623390][ T7] ? find_held_lock+0x2d/0x110 [ 46.623962][ T7] ? brcmf_fweh_event_worker+0x19f/0xc60 [ 46.624603][ T7] ? mark_held_locks+0x9f/0xe0 [ 46.625145][ T7] ? lockdep_hardirqs_on_prepare+0x3e0/0x3e0 [ 46.625871][ T7] ? brcmf_cfg80211_join_ibss+0x7b0/0x7b0 [ 46.626545][ T7] brcmf_fweh_call_event_handler.isra.0+0x90/0x100 [ 46.627338][ T7] brcmf_fweh_event_worker+0x557/0xc60 [ 46.627962][ T7] ? brcmf_fweh_call_event_handler.isra.0+0x100/0x100 [ 46.628736][ T7] ? rcu_read_lock_sched_held+0xa1/0xd0 [ 46.629396][ T7] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 46.629970][ T7] ? lockdep_hardirqs_on_prepare+0x273/0x3e0 [ 46.630649][ T7] process_one_work+0x92b/0x1460 [ 46.631205][ T7] ? pwq_dec_nr_in_flight+0x330/0x330 [ 46.631821][ T7] ? rwlock_bug.part.0+0x90/0x90 [ 46.632347][ T7] worker_thread+0x95/0xe00 [ 46.632832][ T7] ? __kthread_parkme+0x115/0x1e0 [ 46.633393][ T7] ? process_one_work+0x1460/0x1460 [ 46.633957][ T7] kthread+0x3a1/0x480 [ 46.634369][ T7] ? set_kthread_struct+0x120/0x120 [ 46.634933][ T7] ret_from_fork+0x1f/0x30 [ 46.635431][ T7] [ 46.635687][ T7] Allocated by task 7: [ 46.636151][ T7] kasan_save_stack+0x1b/0x40 [ 46.636628][ T7] __kasan_kmalloc+0x7c/0x90 [ 46.637108][ T7] kmem_cache_alloc_trace+0x19e/0x330 [ 46.637696][ T7] brcmf_cfg80211_attach+0x4a0/0x4040 [ 46.638275][ T7] brcmf_attach+0x389/0xd40 [ 46.638739][ T7] brcmf_usb_probe+0x12de/0x1690 [ 46.639279][ T7] usb_probe_interface+0x2aa/0x760 [ 46.639820][ T7] really_probe+0x205/0xb70 [ 46.640342][ T7] __driver_probe_device+0 ---truncated---

CVSS Details

Base Score
7.1
Exploitability
1.8
Impact
5.2
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
4.7% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-125 Out-of-bounds Read Memory Safety

Affected Products 8

VendorProductVersionRange
linuxlinux_kernel* <4.14.315
linuxlinux_kernel*≥4.15  –  <4.19.283
linuxlinux_kernel*≥4.20  –  <5.4.243
linuxlinux_kernel*≥5.5  –  <5.10.180
linuxlinux_kernel*≥5.11  –  <5.15.110
linuxlinux_kernel*≥5.16  –  <6.1.27
linuxlinux_kernel*≥6.2  –  <6.2.14
linuxlinux_kernel*≥6.3  –  <6.3.1

References 9

  • git.kernel.org https://git.kernel.org/stable/c/0da40e018fd034d87c9460123fa7f897b69fdee7
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/21bee3e649d87f78fe8aef6ae02edd3d6f310fd0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/228186629ea970cc78b7d7d5f593f2d32fddf9f6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/39f9bd880abac6068bedb24a4e16e7bd26bf92da
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/425eea395f1f5ae349fb55f7fe51d833a5324bfe
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/549825602e3e6449927ca1ea1a08fd89868439df
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/936a23293bbb3332bdf4cdb9c1496e80cb0bc2c8
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ac5305e5d227b9af3aae25fa83380d3ff0225b73
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e29661611e6e71027159a3140e818ef3b99f32dd
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/0da40e018fd034d87c9460123fa7f897b69fdee7
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/21bee3e649d87f78fe8aef6ae02edd3d6f310fd0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/228186629ea970cc78b7d7d5f593f2d32fddf9f6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/39f9bd880abac6068bedb24a4e16e7bd26bf92da
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/425eea395f1f5ae349fb55f7fe51d833a5324bfe
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/549825602e3e6449927ca1ea1a08fd89868439df
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/936a23293bbb3332bdf4cdb9c1496e80cb0bc2c8
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ac5305e5d227b9af3aae25fa83380d3ff0225b73
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e29661611e6e71027159a3140e818ef3b99f32dd
    Patch