{"vulnerability": "CVE-2023-5288", "sightings": [{"uuid": "6fc476db-f339-4312-8525-9af787d1fee4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-5288", "type": "seen", "source": "https://t.me/cibsecurity/71286", "content": "\u203c CVE-2023-5288 \u203c\n\nA remote unauthorized attacker may connect to the SIM1012, interact with the device andchange configuration settings. The adversary may also reset the SIM and in the worst case upload anew firmware version to the device.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-09-29T16:37:36.000000Z"}, {"uuid": "b0b67776-5e7c-47c7-b364-101efcd62134", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-52881", "type": "seen", "source": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-226-15", "content": "", "creation_timestamp": "2025-08-14T10:00:00.000000Z"}, {"uuid": "f548c76a-e668-40ca-95e0-c17d9bee61bf", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2023-52888", "type": "seen", "source": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0316/", "content": "", "creation_timestamp": "2026-03-19T00:00:00.000000Z"}, {"uuid": "5dbdae81-ae64-41ff-afca-bc5ee81576eb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "c933734a-9be8-4142-889e-26e95c752803", "vulnerability": "CVE-2023-52888", "type": "seen", "source": "https://vulnerability.circl.lu/bundle/816dcc8e-f25a-4895-9b59-1bbd9caeccb8", "content": "", "creation_timestamp": "2025-12-03T14:14:49.267740Z"}, {"uuid": "f52e7372-7380-4334-ad0e-8900ace5f4b8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-52885", "type": "seen", "source": "https://t.me/cvedetector/816", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2023-52885 - In the Linux kernel, the following vulnerability h\", \n  \"Content\": \"CVE ID : CVE-2023-52885 \nPublished : July 14, 2024, 8:15 a.m. | 22\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved:  \n  \nSUNRPC: Fix UAF in svc_tcp_listen_data_ready()  \n  \nAfter the listener svc_sock is freed, and before invoking svc_tcp_accept()  \nfor the established child sock, there is a window that the newsock  \nretaining a freed listener svc_sock in sk_user_data which cloning from  \nparent. In the race window, if data is received on the newsock, we will  \nobserve use-after-free report in svc_tcp_listen_data_ready().  \n  \nReproduce by two tasks:  \n  \n1. while :; do rpc.nfsd 0 ; rpc.nfsd; done  \n2. while :; do echo \"\" | ncat -4 127.0.0.1 2049 ; done  \n  \nKASAN report:  \n  \n  ==================================================================  \n  BUG: KASAN: slab-use-after-free in svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc]  \n  Read of size 8 at addr ffff888139d96228 by task nc/102553  \n  CPU: 7 PID: 102553 Comm: nc Not tainted 6.3.0+ #18  \n  Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020  \n  Call Trace:  \n     \n   dump_stack_lvl+0x33/0x50  \n   print_address_description.constprop.0+0x27/0x310  \n   print_report+0x3e/0x70  \n   kasan_report+0xae/0xe0  \n   svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc]  \n   tcp_data_queue+0x9f4/0x20e0  \n   tcp_rcv_established+0x666/0x1f60  \n   tcp_v4_do_rcv+0x51c/0x850  \n   tcp_v4_rcv+0x23fc/0x2e80  \n   ip_protocol_deliver_rcu+0x62/0x300  \n   ip_local_deliver_finish+0x267/0x350  \n   ip_local_deliver+0x18b/0x2d0  \n   ip_rcv+0x2fb/0x370  \n   __netif_receive_skb_one_core+0x166/0x1b0  \n   process_backlog+0x24c/0x5e0  \n   __napi_poll+0xa2/0x500  \n   net_rx_action+0x854/0xc90  \n   __do_softirq+0x1bb/0x5de  \n   do_softirq+0xcb/0x100  \n     \n     \n   ...  \n     \n  \n  Allocated by task 102371:  \n   kasan_save_stack+0x1e/0x40  \n   kasan_set_track+0x21/0x30  \n   __kasan_kmalloc+0x7b/0x90  \n   svc_setup_socket+0x52/0x4f0 [sunrpc]  \n   svc_addsock+0x20d/0x400 [sunrpc]  \n   __write_ports_addfd+0x209/0x390 [nfsd]  \n   write_ports+0x239/0x2c0 [nfsd]  \n   nfsctl_transaction_write+0xac/0x110 [nfsd]  \n   vfs_write+0x1c3/0xae0  \n   ksys_write+0xed/0x1c0  \n   do_syscall_64+0x38/0x90  \n   entry_SYSCALL_64_after_hwframe+0x72/0xdc  \n  \n  Freed by task 102551:  \n   kasan_save_stack+0x1e/0x40  \n   kasan_set_track+0x21/0x30  \n   kasan_save_free_info+0x2a/0x50  \n   __kasan_slab_free+0x106/0x190  \n   __kmem_cache_free+0x133/0x270  \n   svc_xprt_free+0x1e2/0x350 [sunrpc]  \n   svc_xprt_destroy_all+0x25a/0x440 [sunrpc]  \n   nfsd_put+0x125/0x240 [nfsd]  \n   nfsd_svc+0x2cb/0x3c0 [nfsd]  \n   write_threads+0x1ac/0x2a0 [nfsd]  \n   nfsctl_transaction_write+0xac/0x110 [nfsd]  \n   vfs_write+0x1c3/0xae0  \n   ksys_write+0xed/0x1c0  \n   do_syscall_64+0x38/0x90  \n   entry_SYSCALL_64_after_hwframe+0x72/0xdc  \n  \nFix the UAF by simply doing nothing in svc_tcp_listen_data_ready()  \nif state != TCP_LISTEN, that will avoid dereferencing svsk for all  \nchild socket. \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"14 Jul 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-07-14T10:45:04.000000Z"}, {"uuid": "12922223-557a-4ffe-979f-0c6bf61103bd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-52887", "type": "seen", "source": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-226-07", "content": "", "creation_timestamp": "2025-08-14T10:00:00.000000Z"}, {"uuid": "a9d56470-5022-4de3-a11a-e1cc5cb875de", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "c933734a-9be8-4142-889e-26e95c752803", "vulnerability": "CVE-2023-52886", "type": "seen", "source": "https://vulnerability.circl.lu/bundle/816dcc8e-f25a-4895-9b59-1bbd9caeccb8", "content": "", "creation_timestamp": "2025-12-03T14:14:49.267740Z"}, {"uuid": "0e8b2ec2-61b8-4f33-842e-ad0d9999519e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-52886", "type": "seen", "source": "https://t.me/cvedetector/927", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2023-52886 - Apache USB Core Kernel Hub Port Information Leak\", \n  \"Content\": \"CVE ID : CVE-2023-52886 \nPublished : July 16, 2024, 10:15 a.m. | 32\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved:  \n  \nUSB: core: Fix race by not overwriting udev->descriptor in hub_port_init()  \n  \nSyzbot reported an out-of-bounds read in sysfs.c:read_descriptors():  \n  \nBUG: KASAN: slab-out-of-bounds in read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883  \nRead of size 8 at addr ffff88801e78b8c8 by task udevd/5011  \n  \nCPU: 0 PID: 5011 Comm: udevd Not tainted 6.4.0-rc6-syzkaller-00195-g40f71e7cd3c6 #0  \nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023  \nCall Trace:  \n   \n __dump_stack lib/dump_stack.c:88 [inline]  \n dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106  \n print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351  \n print_report mm/kasan/report.c:462 [inline]  \n kasan_report+0x11c/0x130 mm/kasan/report.c:572  \n read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883  \n...  \nAllocated by task 758:  \n...  \n __do_kmalloc_node mm/slab_common.c:966 [inline]  \n __kmalloc+0x5e/0x190 mm/slab_common.c:979  \n kmalloc include/linux/slab.h:563 [inline]  \n kzalloc include/linux/slab.h:680 [inline]  \n usb_get_configuration+0x1f7/0x5170 drivers/usb/core/config.c:887  \n usb_enumerate_device drivers/usb/core/hub.c:2407 [inline]  \n usb_new_device+0x12b0/0x19d0 drivers/usb/core/hub.c:2545  \n  \nAs analyzed by Khazhy Kumykov, the cause of this bug is a race between  \nread_descriptors() and hub_port_init(): The first routine uses a field  \nin udev->descriptor, not expecting it to change, while the second  \noverwrites it.  \n  \nPrior to commit 45bf39f8df7f (\"USB: core: Don't hold device lock while  \nreading the \"descriptors\" sysfs file\") this race couldn't occur,  \nbecause the routines were mutually exclusive thanks to the device  \nlocking.  Removing that locking from read_descriptors() exposed it to  \nthe race.  \n  \nThe best way to fix the bug is to keep hub_port_init() from changing  \nudev->descriptor once udev has been initialized and registered.  \nDrivers expect the descriptors stored in the kernel to be immutable;  \nwe should not undermine this expectation.  In fact, this change should  \nhave been made long ago.  \n  \nSo now hub_port_init() will take an additional argument, specifying a  \nbuffer in which to store the device descriptor it reads.  (If udev has  \nnot yet been initialized, the buffer pointer will be NULL and then  \nhub_port_init() will store the device descriptor in udev as before.)  \nThis eliminates the data race responsible for the out-of-bounds read.  \n  \nThe changes to hub_port_init() appear more extensive than they really  \nare, because of indentation changes resulting from an attempt to avoid  \nwriting to other parts of the usb_device structure after it has been  \ninitialized.  Similar changes should be made to the code that reads  \nthe BOS descriptor, but that can be handled in a separate patch later  \non.  This patch is sufficient to fix the bug found by syzbot. \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"16 Jul 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-07-16T12:55:41.000000Z"}]}