FKIE_CVE-2023-53213

Vulnerability from fkie_nvd - Published: 2025-09-15 15:15 - Updated: 2026-01-14 18:16
Severity ?
7.1 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
7.1 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies() Fix a slab-out-of-bounds read that occurs in kmemdup() called from brcmf_get_assoc_ies(). The bug could occur when assoc_info->req_len, data from a URB provided by a USB device, is bigger than the size of buffer which is defined as WL_EXTRA_BUF_MAX. Add the size check for req_len/resp_len of assoc_info. Found by a modified version of syzkaller. [ 46.592467][ T7] ================================================================== [ 46.594687][ T7] BUG: KASAN: slab-out-of-bounds in kmemdup+0x3e/0x50 [ 46.596572][ T7] Read of size 3014656 at addr ffff888019442000 by task kworker/0:1/7 [ 46.598575][ T7] [ 46.599157][ T7] CPU: 0 PID: 7 Comm: kworker/0:1 Tainted: G O 5.14.0+ #145 [ 46.601333][ T7] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 [ 46.604360][ T7] Workqueue: events brcmf_fweh_event_worker [ 46.605943][ T7] Call Trace: [ 46.606584][ T7] dump_stack_lvl+0x8e/0xd1 [ 46.607446][ T7] print_address_description.constprop.0.cold+0x93/0x334 [ 46.608610][ T7] ? kmemdup+0x3e/0x50 [ 46.609341][ T7] kasan_report.cold+0x79/0xd5 [ 46.610151][ T7] ? kmemdup+0x3e/0x50 [ 46.610796][ T7] kasan_check_range+0x14e/0x1b0 [ 46.611691][ T7] memcpy+0x20/0x60 [ 46.612323][ T7] kmemdup+0x3e/0x50 [ 46.612987][ T7] brcmf_get_assoc_ies+0x967/0xf60 [ 46.613904][ T7] ? brcmf_notify_vif_event+0x3d0/0x3d0 [ 46.614831][ T7] ? lock_chain_count+0x20/0x20 [ 46.615683][ T7] ? mark_lock.part.0+0xfc/0x2770 [ 46.616552][ T7] ? lock_chain_count+0x20/0x20 [ 46.617409][ T7] ? mark_lock.part.0+0xfc/0x2770 [ 46.618244][ T7] ? lock_chain_count+0x20/0x20 [ 46.619024][ T7] brcmf_bss_connect_done.constprop.0+0x241/0x2e0 [ 46.620019][ T7] ? brcmf_parse_configure_security.isra.0+0x2a0/0x2a0 [ 46.620818][ T7] ? __lock_acquire+0x181f/0x5790 [ 46.621462][ T7] brcmf_notify_connect_status+0x448/0x1950 [ 46.622134][ T7] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 46.622736][ T7] ? brcmf_cfg80211_join_ibss+0x7b0/0x7b0 [ 46.623390][ T7] ? find_held_lock+0x2d/0x110 [ 46.623962][ T7] ? brcmf_fweh_event_worker+0x19f/0xc60 [ 46.624603][ T7] ? mark_held_locks+0x9f/0xe0 [ 46.625145][ T7] ? lockdep_hardirqs_on_prepare+0x3e0/0x3e0 [ 46.625871][ T7] ? brcmf_cfg80211_join_ibss+0x7b0/0x7b0 [ 46.626545][ T7] brcmf_fweh_call_event_handler.isra.0+0x90/0x100 [ 46.627338][ T7] brcmf_fweh_event_worker+0x557/0xc60 [ 46.627962][ T7] ? brcmf_fweh_call_event_handler.isra.0+0x100/0x100 [ 46.628736][ T7] ? rcu_read_lock_sched_held+0xa1/0xd0 [ 46.629396][ T7] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 46.629970][ T7] ? lockdep_hardirqs_on_prepare+0x273/0x3e0 [ 46.630649][ T7] process_one_work+0x92b/0x1460 [ 46.631205][ T7] ? pwq_dec_nr_in_flight+0x330/0x330 [ 46.631821][ T7] ? rwlock_bug.part.0+0x90/0x90 [ 46.632347][ T7] worker_thread+0x95/0xe00 [ 46.632832][ T7] ? __kthread_parkme+0x115/0x1e0 [ 46.633393][ T7] ? process_one_work+0x1460/0x1460 [ 46.633957][ T7] kthread+0x3a1/0x480 [ 46.634369][ T7] ? set_kthread_struct+0x120/0x120 [ 46.634933][ T7] ret_from_fork+0x1f/0x30 [ 46.635431][ T7] [ 46.635687][ T7] Allocated by task 7: [ 46.636151][ T7] kasan_save_stack+0x1b/0x40 [ 46.636628][ T7] __kasan_kmalloc+0x7c/0x90 [ 46.637108][ T7] kmem_cache_alloc_trace+0x19e/0x330 [ 46.637696][ T7] brcmf_cfg80211_attach+0x4a0/0x4040 [ 46.638275][ T7] brcmf_attach+0x389/0xd40 [ 46.638739][ T7] brcmf_usb_probe+0x12de/0x1690 [ 46.639279][ T7] usb_probe_interface+0x2aa/0x760 [ 46.639820][ T7] really_probe+0x205/0xb70 [ 46.640342][ T7] __driver_probe_device+0 ---truncated---
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/0da40e018fd034d87c9460123fa7f897b69fdee7Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/21bee3e649d87f78fe8aef6ae02edd3d6f310fd0Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/228186629ea970cc78b7d7d5f593f2d32fddf9f6Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/39f9bd880abac6068bedb24a4e16e7bd26bf92daPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/425eea395f1f5ae349fb55f7fe51d833a5324bfePatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/549825602e3e6449927ca1ea1a08fd89868439dfPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/936a23293bbb3332bdf4cdb9c1496e80cb0bc2c8Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ac5305e5d227b9af3aae25fa83380d3ff0225b73Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/e29661611e6e71027159a3140e818ef3b99f32ddPatch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1A8A9F0F-3562-4C72-A33C-CEFDA424F998",
              "versionEndExcluding": "4.14.315",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8AC1BC2D-A61C-4368-A3F6-50DF48E2EFC5",
              "versionEndExcluding": "4.19.283",
              "versionStartIncluding": "4.15",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E54ACEF5-C8C1-4266-85FC-7D513FFD1DEC",
              "versionEndExcluding": "5.4.243",
              "versionStartIncluding": "4.20",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "78422AC3-CC89-479E-B4BC-62381D8F3564",
              "versionEndExcluding": "5.10.180",
              "versionStartIncluding": "5.5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F8674279-AC2F-41B0-BD2E-29AFEBA31CA0",
              "versionEndExcluding": "5.15.110",
              "versionStartIncluding": "5.11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F6D7B93C-E8E7-4BEB-B708-3780D7793DAE",
              "versionEndExcluding": "6.1.27",
              "versionStartIncluding": "5.16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0E62BC79-E13F-46D3-9641-F34A9BFDF62C",
              "versionEndExcluding": "6.2.14",
              "versionStartIncluding": "6.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "18CA5E1B-C679-442E-8ADB-E56ACDE39BBE",
              "versionEndExcluding": "6.3.1",
              "versionStartIncluding": "6.3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies()\n\nFix a slab-out-of-bounds read that occurs in kmemdup() called from\nbrcmf_get_assoc_ies().\nThe bug could occur when assoc_info-\u003ereq_len, data from a URB provided\nby a USB device, is bigger than the size of buffer which is defined as\nWL_EXTRA_BUF_MAX.\n\nAdd the size check for req_len/resp_len of assoc_info.\n\nFound by a modified version of syzkaller.\n\n[   46.592467][    T7] ==================================================================\n[   46.594687][    T7] BUG: KASAN: slab-out-of-bounds in kmemdup+0x3e/0x50\n[   46.596572][    T7] Read of size 3014656 at addr ffff888019442000 by task kworker/0:1/7\n[   46.598575][    T7]\n[   46.599157][    T7] CPU: 0 PID: 7 Comm: kworker/0:1 Tainted: G           O      5.14.0+ #145\n[   46.601333][    T7] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014\n[   46.604360][    T7] Workqueue: events brcmf_fweh_event_worker\n[   46.605943][    T7] Call Trace:\n[   46.606584][    T7]  dump_stack_lvl+0x8e/0xd1\n[   46.607446][    T7]  print_address_description.constprop.0.cold+0x93/0x334\n[   46.608610][    T7]  ? kmemdup+0x3e/0x50\n[   46.609341][    T7]  kasan_report.cold+0x79/0xd5\n[   46.610151][    T7]  ? kmemdup+0x3e/0x50\n[   46.610796][    T7]  kasan_check_range+0x14e/0x1b0\n[   46.611691][    T7]  memcpy+0x20/0x60\n[   46.612323][    T7]  kmemdup+0x3e/0x50\n[   46.612987][    T7]  brcmf_get_assoc_ies+0x967/0xf60\n[   46.613904][    T7]  ? brcmf_notify_vif_event+0x3d0/0x3d0\n[   46.614831][    T7]  ? lock_chain_count+0x20/0x20\n[   46.615683][    T7]  ? mark_lock.part.0+0xfc/0x2770\n[   46.616552][    T7]  ? lock_chain_count+0x20/0x20\n[   46.617409][    T7]  ? mark_lock.part.0+0xfc/0x2770\n[   46.618244][    T7]  ? lock_chain_count+0x20/0x20\n[   46.619024][    T7]  brcmf_bss_connect_done.constprop.0+0x241/0x2e0\n[   46.620019][    T7]  ? brcmf_parse_configure_security.isra.0+0x2a0/0x2a0\n[   46.620818][    T7]  ? __lock_acquire+0x181f/0x5790\n[   46.621462][    T7]  brcmf_notify_connect_status+0x448/0x1950\n[   46.622134][    T7]  ? rcu_read_lock_bh_held+0xb0/0xb0\n[   46.622736][    T7]  ? brcmf_cfg80211_join_ibss+0x7b0/0x7b0\n[   46.623390][    T7]  ? find_held_lock+0x2d/0x110\n[   46.623962][    T7]  ? brcmf_fweh_event_worker+0x19f/0xc60\n[   46.624603][    T7]  ? mark_held_locks+0x9f/0xe0\n[   46.625145][    T7]  ? lockdep_hardirqs_on_prepare+0x3e0/0x3e0\n[   46.625871][    T7]  ? brcmf_cfg80211_join_ibss+0x7b0/0x7b0\n[   46.626545][    T7]  brcmf_fweh_call_event_handler.isra.0+0x90/0x100\n[   46.627338][    T7]  brcmf_fweh_event_worker+0x557/0xc60\n[   46.627962][    T7]  ? brcmf_fweh_call_event_handler.isra.0+0x100/0x100\n[   46.628736][    T7]  ? rcu_read_lock_sched_held+0xa1/0xd0\n[   46.629396][    T7]  ? rcu_read_lock_bh_held+0xb0/0xb0\n[   46.629970][    T7]  ? lockdep_hardirqs_on_prepare+0x273/0x3e0\n[   46.630649][    T7]  process_one_work+0x92b/0x1460\n[   46.631205][    T7]  ? pwq_dec_nr_in_flight+0x330/0x330\n[   46.631821][    T7]  ? rwlock_bug.part.0+0x90/0x90\n[   46.632347][    T7]  worker_thread+0x95/0xe00\n[   46.632832][    T7]  ? __kthread_parkme+0x115/0x1e0\n[   46.633393][    T7]  ? process_one_work+0x1460/0x1460\n[   46.633957][    T7]  kthread+0x3a1/0x480\n[   46.634369][    T7]  ? set_kthread_struct+0x120/0x120\n[   46.634933][    T7]  ret_from_fork+0x1f/0x30\n[   46.635431][    T7]\n[   46.635687][    T7] Allocated by task 7:\n[   46.636151][    T7]  kasan_save_stack+0x1b/0x40\n[   46.636628][    T7]  __kasan_kmalloc+0x7c/0x90\n[   46.637108][    T7]  kmem_cache_alloc_trace+0x19e/0x330\n[   46.637696][    T7]  brcmf_cfg80211_attach+0x4a0/0x4040\n[   46.638275][    T7]  brcmf_attach+0x389/0xd40\n[   46.638739][    T7]  brcmf_usb_probe+0x12de/0x1690\n[   46.639279][    T7]  usb_probe_interface+0x2aa/0x760\n[   46.639820][    T7]  really_probe+0x205/0xb70\n[   46.640342][    T7]  __driver_probe_device+0\n---truncated---"
    }
  ],
  "id": "CVE-2023-53213",
  "lastModified": "2026-01-14T18:16:29.097",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.2,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-09-15T15:15:47.900",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/0da40e018fd034d87c9460123fa7f897b69fdee7"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/21bee3e649d87f78fe8aef6ae02edd3d6f310fd0"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/228186629ea970cc78b7d7d5f593f2d32fddf9f6"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/39f9bd880abac6068bedb24a4e16e7bd26bf92da"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/425eea395f1f5ae349fb55f7fe51d833a5324bfe"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/549825602e3e6449927ca1ea1a08fd89868439df"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/936a23293bbb3332bdf4cdb9c1496e80cb0bc2c8"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/ac5305e5d227b9af3aae25fa83380d3ff0225b73"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/e29661611e6e71027159a3140e818ef3b99f32dd"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-125"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-125"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.