Bug 2401560 (CVE-2023-53570) - CVE-2023-53570 kernel: wifi: nl80211: fix integer overflow in nl80211_parse_mbssid_elems()
Summary: CVE-2023-53570 kernel: wifi: nl80211: fix integer overflow in nl80211_parse_m...
Keywords:
Status: NEW
Alias: CVE-2023-53570
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-10-04 16:07 UTC by OSIDB Bzimport
Modified: 2025-11-04 00:50 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-10-04 16:07:28 UTC 
In the Linux kernel, the following vulnerability has been resolved:

wifi: nl80211: fix integer overflow in nl80211_parse_mbssid_elems()

nl80211_parse_mbssid_elems() uses a u8 variable num_elems to count the
number of MBSSID elements in the nested netlink attribute attrs, which can
lead to an integer overflow if a user of the nl80211 interface specifies
256 or more elements in the corresponding attribute in userspace. The
integer overflow can lead to a heap buffer overflow as num_elems determines
the size of the trailing array in elems, and this array is thereafter
written to for each element in attrs.

Note that this vulnerability only affects devices with the
wiphy->mbssid_max_interfaces member set for the wireless physical device
struct in the device driver, and can only be triggered by a process with
CAP_NET_ADMIN capabilities.

Fix this by checking for a maximum of 255 elements in attrs.
Comment 1 Alexander B 2025-10-06 11:53:49 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025100453-CVE-2023-53570-3733@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.