{
  "threat_severity" : "Moderate",
  "public_date" : "2025-09-15T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies()",
    "id" : "2395267",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2395267"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-125",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nwifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies()\nFix a slab-out-of-bounds read that occurs in kmemdup() called from\nbrcmf_get_assoc_ies().\nThe bug could occur when assoc_info->req_len, data from a URB provided\nby a USB device, is bigger than the size of buffer which is defined as\nWL_EXTRA_BUF_MAX.\nAdd the size check for req_len/resp_len of assoc_info.\nFound by a modified version of syzkaller.\n[   46.592467][    T7] ==================================================================\n[   46.594687][    T7] BUG: KASAN: slab-out-of-bounds in kmemdup+0x3e/0x50\n[   46.596572][    T7] Read of size 3014656 at addr ffff888019442000 by task kworker/0:1/7\n[   46.598575][    T7]\n[   46.599157][    T7] CPU: 0 PID: 7 Comm: kworker/0:1 Tainted: G           O      5.14.0+ #145\n[   46.601333][    T7] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014\n[   46.604360][    T7] Workqueue: events brcmf_fweh_event_worker\n[   46.605943][    T7] Call Trace:\n[   46.606584][    T7]  dump_stack_lvl+0x8e/0xd1\n[   46.607446][    T7]  print_address_description.constprop.0.cold+0x93/0x334\n[   46.608610][    T7]  ? kmemdup+0x3e/0x50\n[   46.609341][    T7]  kasan_report.cold+0x79/0xd5\n[   46.610151][    T7]  ? kmemdup+0x3e/0x50\n[   46.610796][    T7]  kasan_check_range+0x14e/0x1b0\n[   46.611691][    T7]  memcpy+0x20/0x60\n[   46.612323][    T7]  kmemdup+0x3e/0x50\n[   46.612987][    T7]  brcmf_get_assoc_ies+0x967/0xf60\n[   46.613904][    T7]  ? brcmf_notify_vif_event+0x3d0/0x3d0\n[   46.614831][    T7]  ? lock_chain_count+0x20/0x20\n[   46.615683][    T7]  ? mark_lock.part.0+0xfc/0x2770\n[   46.616552][    T7]  ? lock_chain_count+0x20/0x20\n[   46.617409][    T7]  ? mark_lock.part.0+0xfc/0x2770\n[   46.618244][    T7]  ? lock_chain_count+0x20/0x20\n[   46.619024][    T7]  brcmf_bss_connect_done.constprop.0+0x241/0x2e0\n[   46.620019][    T7]  ? brcmf_parse_configure_security.isra.0+0x2a0/0x2a0\n[   46.620818][    T7]  ? __lock_acquire+0x181f/0x5790\n[   46.621462][    T7]  brcmf_notify_connect_status+0x448/0x1950\n[   46.622134][    T7]  ? rcu_read_lock_bh_held+0xb0/0xb0\n[   46.622736][    T7]  ? brcmf_cfg80211_join_ibss+0x7b0/0x7b0\n[   46.623390][    T7]  ? find_held_lock+0x2d/0x110\n[   46.623962][    T7]  ? brcmf_fweh_event_worker+0x19f/0xc60\n[   46.624603][    T7]  ? mark_held_locks+0x9f/0xe0\n[   46.625145][    T7]  ? lockdep_hardirqs_on_prepare+0x3e0/0x3e0\n[   46.625871][    T7]  ? brcmf_cfg80211_join_ibss+0x7b0/0x7b0\n[   46.626545][    T7]  brcmf_fweh_call_event_handler.isra.0+0x90/0x100\n[   46.627338][    T7]  brcmf_fweh_event_worker+0x557/0xc60\n[   46.627962][    T7]  ? brcmf_fweh_call_event_handler.isra.0+0x100/0x100\n[   46.628736][    T7]  ? rcu_read_lock_sched_held+0xa1/0xd0\n[   46.629396][    T7]  ? rcu_read_lock_bh_held+0xb0/0xb0\n[   46.629970][    T7]  ? lockdep_hardirqs_on_prepare+0x273/0x3e0\n[   46.630649][    T7]  process_one_work+0x92b/0x1460\n[   46.631205][    T7]  ? pwq_dec_nr_in_flight+0x330/0x330\n[   46.631821][    T7]  ? rwlock_bug.part.0+0x90/0x90\n[   46.632347][    T7]  worker_thread+0x95/0xe00\n[   46.632832][    T7]  ? __kthread_parkme+0x115/0x1e0\n[   46.633393][    T7]  ? process_one_work+0x1460/0x1460\n[   46.633957][    T7]  kthread+0x3a1/0x480\n[   46.634369][    T7]  ? set_kthread_struct+0x120/0x120\n[   46.634933][    T7]  ret_from_fork+0x1f/0x30\n[   46.635431][    T7]\n[   46.635687][    T7] Allocated by task 7:\n[   46.636151][    T7]  kasan_save_stack+0x1b/0x40\n[   46.636628][    T7]  __kasan_kmalloc+0x7c/0x90\n[   46.637108][    T7]  kmem_cache_alloc_trace+0x19e/0x330\n[   46.637696][    T7]  brcmf_cfg80211_attach+0x4a0/0x4040\n[   46.638275][    T7]  brcmf_attach+0x389/0xd40\n[   46.638739][    T7]  brcmf_usb_probe+0x12de/0x1690\n[   46.639279][    T7]  usb_probe_interface+0x2aa/0x760\n[   46.639820][    T7]  really_probe+0x205/0xb70\n[   46.640342][    T7]  __driver_probe_device+0\n---truncated---" ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-11-14T00:00:00Z",
    "advisory" : "RHSA-2023:7077",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-513.5.1.el8_9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support",
    "release_date" : "2025-12-17T00:00:00Z",
    "advisory" : "RHSA-2025:23445",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.2",
    "package" : "kernel-0:4.18.0-193.178.1.el8_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
    "release_date" : "2025-12-04T00:00:00Z",
    "advisory" : "RHSA-2025:22752",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.4",
    "package" : "kernel-0:4.18.0-305.179.1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On",
    "release_date" : "2025-12-04T00:00:00Z",
    "advisory" : "RHSA-2025:22752",
    "cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.4",
    "package" : "kernel-0:4.18.0-305.179.1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
    "release_date" : "2025-11-12T00:00:00Z",
    "advisory" : "RHSA-2025:21084",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.6",
    "package" : "kernel-0:4.18.0-372.168.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
    "release_date" : "2025-11-12T00:00:00Z",
    "advisory" : "RHSA-2025:21084",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.6",
    "package" : "kernel-0:4.18.0-372.168.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
    "release_date" : "2025-11-12T00:00:00Z",
    "advisory" : "RHSA-2025:21084",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.6",
    "package" : "kernel-0:4.18.0-372.168.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service",
    "release_date" : "2025-11-12T00:00:00Z",
    "advisory" : "RHSA-2025:21083",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.8",
    "package" : "kernel-0:4.18.0-477.118.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
    "release_date" : "2025-11-12T00:00:00Z",
    "advisory" : "RHSA-2025:21083",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.8",
    "package" : "kernel-0:4.18.0-477.118.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2025-11-12T00:00:00Z",
    "advisory" : "RHSA-2025:21091",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0",
    "package" : "kernel-0:5.14.0-70.153.1.el9_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2025-11-12T00:00:00Z",
    "advisory" : "RHSA-2025:21136",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0::nfv",
    "package" : "kernel-rt-0:5.14.0-70.153.1.rt21.225.el9_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2025-11-12T00:00:00Z",
    "advisory" : "RHSA-2025:21051",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2",
    "package" : "kernel-0:5.14.0-284.146.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2025-11-12T00:00:00Z",
    "advisory" : "RHSA-2025:21128",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2::nfv",
    "package" : "kernel-rt-0:5.14.0-284.146.1.rt14.431.el9_2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53213\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53213\nhttps://lore.kernel.org/linux-cve-announce/2025091511-CVE-2023-53213-dfc5@gregkh/T" ],
  "name" : "CVE-2023-53213",
  "csaw" : false
}