CVE-2023-53199

wifi: ath9k: hif_usb: clean up skbs if ath9k_hif_usb_rx_stream() fails

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: hif_usb: clean up skbs if ath9k_hif_usb_rx_stream() fails Syzkaller detected a memory leak of skbs in ath9k_hif_usb_rx_stream().
While processing skbs in ath9k_hif_usb_rx_stream(), the already allocated
skbs in skb_pool are not freed if ath9k_hif_usb_rx_stream() fails. If we
have an incorrect pkt_len or pkt_tag, the input skb is considered invalid
and dropped. All the associated packets already in skb_pool should be
dropped and freed. Added a comment describing this issue. The patch also makes remain_skb NULL after being processed so that it
cannot be referenced after potential free. The initialization of hif_dev
fields which are associated with remain_skb (rx_remain_len,
rx_transfer_len and rx_pad_len) is moved after a new remain_skb is
allocated. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: hif_usb: clean up skbs if ath9k_hif_usb_rx_stream() fails Syzkaller detected a memory leak of skbs in ath9k_hif_usb_rx_stream(). While processing skbs in ath9k_hif_usb_rx_stream(), the already allocated skbs in skb_pool are not freed if ath9k_hif_usb_rx_stream() fails. If we have an incorrect pkt_len or pkt_tag, the input skb is considered invalid and dropped. All the associated packets already in skb_pool should be dropped and freed. Added a comment describing this issue. The patch also makes remain_skb NULL after being processed so that it cannot be referenced after potential free. The initialization of hif_dev fields which are associated with remain_skb (rx_remain_len, rx_transfer_len and rx_pad_len) is moved after a new remain_skb is allocated. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

This update provides the initial livepatch for this kernel update. This update does not contain any fixes and will be updated with livepatches later.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2025-09-15 CVE Reserved
2025-09-15 CVE Published
2025-09-15 CVE Updated
2026-01-15 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (8)

URL	Tag	Source
https://git.kernel.org/stable/c/44b23b488d44e56d467764ecb661830e5b02b308	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/3fc6401fafde11712a83089fa2cc874cfd10e2cd	2023-03-11
https://git.kernel.org/stable/c/cd8316767099920a5d41feed1afab0c482a43e9f	2023-03-11
https://git.kernel.org/stable/c/f26dd69f61eff2eedf5df2d199bdd23108309947	2023-03-11
https://git.kernel.org/stable/c/61490d2710277e8a55009b7682456ae22f8087cf	2023-03-10
https://git.kernel.org/stable/c/9acdec72787af1bc8ed92711b52118c8e3e638a2	2023-03-10
https://git.kernel.org/stable/c/c766e37fccd5a5c5059be7efcd9618bf8a2c17c3	2023-03-10
https://git.kernel.org/stable/c/0af54343a76263a12dbae7fafb64eb47c4a6ad38	2023-01-17

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.38 < 4.19.276 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.38 < 4.19.276"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.38 < 5.4.235 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.38 < 5.4.235"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.38 < 5.10.173 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.38 < 5.10.173"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.38 < 5.15.99 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.38 < 5.15.99"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.38 < 6.1.16 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.38 < 6.1.16"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.38 < 6.2.3 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.38 < 6.2.3"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.38 < 6.3 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.38 < 6.3"		en		Affected