CVE-2023-53199

In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: hif_usb: clean up skbs if ath9k_hif_usb_rx_stream() fails Syzkaller detected a memory leak of skbs in ath9k_hif_usb_rx_stream(). While processing skbs in ath9k_hif_usb_rx_stream(), the already allocated skbs in skb_pool are not freed if ath9k_hif_usb_rx_stream() fails. If we have an incorrect pkt_len or pkt_tag, the input skb is considered invalid and dropped. All the associated packets already in skb_pool should be dropped and freed. Added a comment describing this issue. The patch also makes remain_skb NULL after being processed so that it cannot be referenced after potential free. The initialization of hif_dev fields which are associated with remain_skb (rx_remain_len, rx_transfer_len and rx_pad_len) is moved after a new remain_skb is allocated. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/0af54343a76263a12dbae7fafb64eb47c4a6ad38	Patch
https://git.kernel.org/stable/c/3fc6401fafde11712a83089fa2cc874cfd10e2cd	Patch
https://git.kernel.org/stable/c/61490d2710277e8a55009b7682456ae22f8087cf	Patch
https://git.kernel.org/stable/c/9acdec72787af1bc8ed92711b52118c8e3e638a2	Patch
https://git.kernel.org/stable/c/c766e37fccd5a5c5059be7efcd9618bf8a2c17c3	Patch
https://git.kernel.org/stable/c/cd8316767099920a5d41feed1afab0c482a43e9f	Patch
https://git.kernel.org/stable/c/f26dd69f61eff2eedf5df2d199bdd23108309947	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

History

No history.

Information

Published : 2025-09-15 15:15

Updated : 2025-12-03 19:39

NVD link : CVE-2023-53199

Mitre link : CVE-2023-53199

CVE.ORG link : CVE-2023-53199

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-772

Missing Release of Resource after Effective Lifetime

{"id": "CVE-2023-53199", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-09-15T15:15:46.277", "references": [{"url": "https://git.kernel.org/stable/c/0af54343a76263a12dbae7fafb64eb47c4a6ad38", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3fc6401fafde11712a83089fa2cc874cfd10e2cd", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/61490d2710277e8a55009b7682456ae22f8087cf", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9acdec72787af1bc8ed92711b52118c8e3e638a2", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c766e37fccd5a5c5059be7efcd9618bf8a2c17c3", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cd8316767099920a5d41feed1afab0c482a43e9f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f26dd69f61eff2eedf5df2d199bdd23108309947", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-772"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: hif_usb: clean up skbs if ath9k_hif_usb_rx_stream() fails\n\nSyzkaller detected a memory leak of skbs in ath9k_hif_usb_rx_stream().\nWhile processing skbs in ath9k_hif_usb_rx_stream(), the already allocated\nskbs in skb_pool are not freed if ath9k_hif_usb_rx_stream() fails. If we\nhave an incorrect pkt_len or pkt_tag, the input skb is considered invalid\nand dropped. All the associated packets already in skb_pool should be\ndropped and freed. Added a comment describing this issue.\n\nThe patch also makes remain_skb NULL after being processed so that it\ncannot be referenced after potential free. The initialization of hif_dev\nfields which are associated with remain_skb (rx_remain_len,\nrx_transfer_len and rx_pad_len) is moved after a new remain_skb is\nallocated.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."}], "lastModified": "2025-12-03T19:39:44.743", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8FCEAE2A-8AC9-4E40-9AC8-9BC6AA0A76F3", "versionEndExcluding": "4.19.276", "versionStartIncluding": "2.6.38"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "13DD5E68-8CB4-46EE-9A8F-C7F6C1A84430", "versionEndExcluding": "5.4.235", "versionStartIncluding": "4.20"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4D810CFB-B7C5-493C-B98A-0D5F0D8A47B6", "versionEndExcluding": "5.10.173", "versionStartIncluding": "5.5"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5B8B2AC9-2F31-4A0F-96F5-7E26B50B27BB", "versionEndExcluding": "5.15.99", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0FD95FDA-6525-4B13-B3FB-49D9995FD8ED", "versionEndExcluding": "6.1.16", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "88C67289-22AD-4CA9-B202-5F5A80E5BA4B", "versionEndExcluding": "6.2.3", "versionStartIncluding": "6.2"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}