{ "threat_severity" : "Moderate", "public_date" : "2025-10-01T00:00:00Z", "bugzilla" : { "description" : "kernel: Linux kernel: Integer overflow in iwlwifi debugfs function", "id" : "2400791", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2400791" }, "cvss3" : { "cvss3_base_score" : "3.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status" : "verified" }, "cwe" : "CWE-190", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nwifi: iwlwifi: pcie: Fix integer overflow in iwl_write_to_user_buf\nAn integer overflow occurs in the iwl_write_to_user_buf() function,\nwhich is called by the iwl_dbgfs_monitor_data_read() function.\nstatic bool iwl_write_to_user_buf(char __user *user_buf, ssize_t count,\nvoid *buf, ssize_t *size,\nssize_t *bytes_copied)\n{\nint buf_size_left = count - *bytes_copied;\nbuf_size_left = buf_size_left - (buf_size_left % sizeof(u32));\nif (*size > buf_size_left)\n*size = buf_size_left;\nIf the user passes a SIZE_MAX value to the \"ssize_t count\" parameter,\nthe ssize_t count parameter is assigned to \"int buf_size_left\".\nThen compare \"*size\" with \"buf_size_left\" . Here, \"buf_size_left\" is a\nnegative number, so \"*size\" is assigned \"buf_size_left\" and goes into\nthe third argument of the copy_to_user function, causing a heap overflow.\nThis is not a security vulnerability because iwl_dbgfs_monitor_data_read()\nis a debugfs operation with 0400 privileges.", "A flaw was identified in the Linux kernel’s iwlwifi PCIe driver. In the function iwl_write_to_user_buf()—which is invoked by iwl_dbgfs_monitor_data_read()—an attacker could supply a specially crafted count value (e.g., SIZE_MAX). This leads to an integer overflow when calculating the remaining buffer space, potentially resulting in a negative value that is incorrectly used as a length in a subsequent copy_to_user() call, which can result in a heap overflow condition." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2023-11-14T00:00:00Z", "advisory" : "RHSA-2023:7077", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-513.5.1.el8_9" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53524\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53524\nhttps://lore.kernel.org/linux-cve-announce/2025100134-CVE-2023-53524-d438@gregkh/T" ], "name" : "CVE-2023-53524", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.", "lang" : "en:us" }, "csaw" : false }