Bug 2395305 (CVE-2023-53199) - CVE-2023-53199 kernel: wifi: ath9k: hif_usb: clean up skbs if ath9k_hif_usb_rx_stream() fails
Summary: CVE-2023-53199 kernel: wifi: ath9k: hif_usb: clean up skbs if ath9k_hif_usb_r...
Keywords:
Status: NEW
Alias: CVE-2023-53199
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-09-15 15:06 UTC by OSIDB Bzimport
Modified: 2025-09-17 18:21 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-09-15 15:06:33 UTC 
In the Linux kernel, the following vulnerability has been resolved:

wifi: ath9k: hif_usb: clean up skbs if ath9k_hif_usb_rx_stream() fails

Syzkaller detected a memory leak of skbs in ath9k_hif_usb_rx_stream().
While processing skbs in ath9k_hif_usb_rx_stream(), the already allocated
skbs in skb_pool are not freed if ath9k_hif_usb_rx_stream() fails. If we
have an incorrect pkt_len or pkt_tag, the input skb is considered invalid
and dropped. All the associated packets already in skb_pool should be
dropped and freed. Added a comment describing this issue.

The patch also makes remain_skb NULL after being processed so that it
cannot be referenced after potential free. The initialization of hif_dev
fields which are associated with remain_skb (rx_remain_len,
rx_transfer_len and rx_pad_len) is moved after a new remain_skb is
allocated.

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Comment 1 Keith Grant 2025-09-16 13:08:15 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025091509-CVE-2023-53199-8a8c@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.