{ "threat_severity" : "Moderate", "public_date" : "2025-09-18T00:00:00Z", "bugzilla" : { "description" : "kernel: HID: intel-ish-hid: Fix kernel panic during warm reset", "id" : "2396427", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2396427" }, "cvss3" : { "cvss3_base_score" : "4.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-476", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nHID: intel-ish-hid: Fix kernel panic during warm reset\nDuring warm reset device->fw_client is set to NULL. If a bus driver is\nregistered after this NULL setting and before new firmware clients are\nenumerated by ISHTP, kernel panic will result in the function\nishtp_cl_bus_match(). This is because of reference to\ndevice->fw_client->props.protocol_name.\nISH firmware after getting successfully loaded, sends a warm reset\nnotification to remove all clients from the bus and sets\ndevice->fw_client to NULL. Until kernel v5.15, all enabled ISHTP kernel\nmodule drivers were loaded right after any of the first ISHTP device was\nregistered, regardless of whether it was a matched or an unmatched\ndevice. This resulted in all drivers getting registered much before the\nwarm reset notification from ISH.\nStarting kernel v5.16, this issue got exposed after the change was\nintroduced to load only bus drivers for the respective matching devices.\nIn this scenario, cros_ec_ishtp device and cros_ec_ishtp driver are\nregistered after the warm reset device fw_client NULL setting.\ncros_ec_ishtp driver_register() triggers the callback to\nishtp_cl_bus_match() to match ISHTP driver to the device and causes kernel\npanic in guid_equal() when dereferencing fw_client NULL pointer to get\nprotocol_name." ], "statement" : "A race during ISH warm reset left device->fw_client as NULL while new ISHTP client drivers were being matched, leading to a NULL dereference in ishtp_cl_bus_match() and a kernel panic. Exploitation requires local, high-privilege control over driver registration and device timing. It isn’t remotely triggerable.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-05-22T00:00:00Z", "advisory" : "RHSA-2024:3138", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53392\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53392\nhttps://lore.kernel.org/linux-cve-announce/2025091858-CVE-2023-53392-9703@gregkh/T" ], "name" : "CVE-2023-53392", "csaw" : false }