ghsa-qfvg-x2cj-cf5g
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath9k: Fix potential stack-out-of-bounds write in ath9k_wmi_rsp_callback()
Fix a stack-out-of-bounds write that occurs in a WMI response callback function that is called after a timeout occurs in ath9k_wmi_cmd(). The callback writes to wmi->cmd_rsp_buf, a stack-allocated buffer that could no longer be valid when a timeout occurs. Set wmi->last_seq_id to 0 when a timeout occurred.
Found by a modified version of syzkaller.
BUG: KASAN: stack-out-of-bounds in ath9k_wmi_ctrl_rx Write of size 4 Call Trace: memcpy ath9k_wmi_ctrl_rx ath9k_htc_rx_msg ath9k_hif_usb_reg_in_cb __usb_hcd_giveback_urb usb_hcd_giveback_urb dummy_timer call_timer_fn run_timer_softirq __do_softirq irq_exit_rcu sysvec_apic_timer_interrupt
{
"affected": [],
"aliases": [
"CVE-2023-53717"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-22T14:15:46Z",
"severity": null
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: Fix potential stack-out-of-bounds write in ath9k_wmi_rsp_callback()\n\nFix a stack-out-of-bounds write that occurs in a WMI response callback\nfunction that is called after a timeout occurs in ath9k_wmi_cmd().\nThe callback writes to wmi-\u003ecmd_rsp_buf, a stack-allocated buffer that\ncould no longer be valid when a timeout occurs. Set wmi-\u003elast_seq_id to\n0 when a timeout occurred.\n\nFound by a modified version of syzkaller.\n\nBUG: KASAN: stack-out-of-bounds in ath9k_wmi_ctrl_rx\nWrite of size 4\nCall Trace:\n memcpy\n ath9k_wmi_ctrl_rx\n ath9k_htc_rx_msg\n ath9k_hif_usb_reg_in_cb\n __usb_hcd_giveback_urb\n usb_hcd_giveback_urb\n dummy_timer\n call_timer_fn\n run_timer_softirq\n __do_softirq\n irq_exit_rcu\n sysvec_apic_timer_interrupt",
"id": "GHSA-qfvg-x2cj-cf5g",
"modified": "2025-10-22T15:31:11Z",
"published": "2025-10-22T15:31:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53717"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1af7eacfad45149c54893a8a9df9e92ef89f0a90"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/554048a72d7ecfdd58cc1bfb56e0a1864e64e82c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/78b56b0a613a87b61290b95be497fdfe2fe58aa6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/89a33c3c847b19b19205cde1d924df2a6c70d8eb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8a2f35b9830692f7a616f2f627f943bc748af13a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8f28513d9520184059530c01a9f928a1b3809d3f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ae4933b4f17de8e2b7ff6f91b17d3b0099a6d6bc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bf6dc175a2b53098a69db1236d9d53982f4b1bc0"
}
],
"schema_version": "1.4.0",
"severity": []
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.