{
  "threat_severity" : "Moderate",
  "public_date" : "2025-10-04T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: wifi: nl80211: fix integer overflow in nl80211_parse_mbssid_elems()",
    "id" : "2401560",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2401560"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-190",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nwifi: nl80211: fix integer overflow in nl80211_parse_mbssid_elems()\nnl80211_parse_mbssid_elems() uses a u8 variable num_elems to count the\nnumber of MBSSID elements in the nested netlink attribute attrs, which can\nlead to an integer overflow if a user of the nl80211 interface specifies\n256 or more elements in the corresponding attribute in userspace. The\ninteger overflow can lead to a heap buffer overflow as num_elems determines\nthe size of the trailing array in elems, and this array is thereafter\nwritten to for each element in attrs.\nNote that this vulnerability only affects devices with the\nwiphy->mbssid_max_interfaces member set for the wireless physical device\nstruct in the device driver, and can only be triggered by a process with\nCAP_NET_ADMIN capabilities.\nFix this by checking for a maximum of 255 elements in attrs.", "An integer overflow flaw was found in the Linux kernel's nl80211 wireless configuration interface in the MBSSID element parsing logic. \nA local user with CAP_NET_ADMIN capability can trigger this issue by specifying 256 or more MBSSID elements through the nl80211 interface, causing the u8 counter num_elems to wrap to zero. This results in a heap buffer overflow when the code allocates space based on the wrapped value but then writes data for all supplied elements, leading to memory corruption and denial of service through kernel crash." ],
  "statement" : "The nl80211_parse_mbssid_elems function counts MBSSID (Multiple BSSID) configuration elements using a u8 variable that can only represent values 0-255. When userspace provides 256 or more elements, the counter wraps to zero due to integer overflow. The function then allocates a structure with a trailing array sized according to num_elems, but subsequently iterates through all supplied elements in attrs, writing beyond the allocated buffer. This heap overflow can cause memory corruption affecting kernel stability. The vulnerability only affects wireless devices where the driver sets wiphy->mbssid_max_interfaces, and exploitation requires CAP_NET_ADMIN capability, limiting the attack surface to privileged network configuration operations. The fix enforces a maximum of 255 elements.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2022-05-10T00:00:00Z",
    "advisory" : "RHSA-2022:1988",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-372.9.1.el8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2394",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.13.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2394",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.13.1.el9_4"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53570\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53570\nhttps://lore.kernel.org/linux-cve-announce/2025100453-CVE-2023-53570-3733@gregkh/T" ],
  "name" : "CVE-2023-53570",
  "csaw" : false
}