DEBIAN-CVE-2023-53641

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2023-53641
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2023-53641.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2023-53641
Upstream
Published
2025-10-07T16:15:47Z
Modified
2025-10-08T09:06:06.230925Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: hifusb: fix memory leak of remainskbs hifdev->remainskb is allocated and used exclusively in ath9khifusbrxstream(). It is implied that an allocated remainskb is processed and subsequently freed (in error paths) only during the next call of ath9khifusbrxstream(). So, if the urbs are deallocated between those two calls due to the device deinitialization or suspend, it is possible that ath9khifusbrxstream() is not called next time and the allocated remainskb is leaked. Our local Syzkaller instance was able to trigger that. remainskb makes sense when receiving two consecutive urbs which are logically linked together, i.e. a specific data field from the first skb indicates a cached skb to be allocated, memcpy'd with some data and subsequently processed in the next call to ath9khifusbrxstream(). Urbs deallocation supposedly makes that link irrelevant so we need to free the cached skb in those cases. Fix the leak by introducing a function to explicitly free remainskb (if it is not NULL) when the rx urbs have been deallocated. remainskb is NULL when it has not been allocated at all (hifdev struct is kzalloced) or when it has been processed in next call to ath9khifusbrxstream(). Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.191-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1
5.10.106-1
5.10.113-1
5.10.120-1~bpo10+1
5.10.120-1
5.10.127-1
5.10.127-2~bpo10+1
5.10.127-2
5.10.136-1
5.10.140-1
5.10.148-1
5.10.149-1
5.10.149-2
5.10.158-1
5.10.158-2
5.10.162-1
5.10.178-1
5.10.178-2
5.10.178-3
5.10.179-1
5.10.179-2
5.10.179-3
5.10.179-4
5.10.179-5

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.37-1

Affected versions

6.*

6.1.27-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.3.7-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:14 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.3.7-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}