{ "threat_severity" : "Moderate", "public_date" : "2025-10-04T00:00:00Z", "bugzilla" : { "description" : "kernel: bus: mhi: host: Range check CHDBOFF and ERDBOFF", "id" : "2401500", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2401500" }, "cvss3" : { "cvss3_base_score" : "4.7", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-787", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nbus: mhi: host: Range check CHDBOFF and ERDBOFF\nIf the value read from the CHDBOFF and ERDBOFF registers is outside the\nrange of the MHI register space then an invalid address might be computed\nwhich later causes a kernel panic. Range check the read value to prevent\na crash due to bad data from the device.", "A missing bounds check flaw was found in the Linux kernel's Modem Host Interface bus driver in the channel doorbell offset validation logic. \nA local user can trigger this issue on systems with MHI devices (typically Qualcomm modems or wireless cards) by using a device that provides malformed or malicious channel configuration data during initialization, causing an out-of-bounds array access. This leads to kernel memory corruption resulting in a panic or denial of service." ], "statement" : "MHI devices communicate channel configuration through doorbell offset values (CHDBOFF and ERDBOFF) that index into the device's register space. The driver reads these offsets from device memory during initialization but historically failed to validate that they fall within legitimate bounds. A malicious device—or a legitimate device with corrupted firmware—can supply offset values that point outside the allocated channel context array. When the driver attempts to use these offsets, it accesses arbitrary kernel memory, typically triggering an immediate panic. Physical access is generally required to connect a malicious device, though in some cases (like M.2 modems) a compromised device firmware could supply bad values.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2021-11-09T00:00:00Z", "advisory" : "RHSA-2021:4356", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-348.el8" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2023-11-14T00:00:00Z", "advisory" : "RHSA-2023:7077", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-513.5.1.el8_9" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53598\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53598\nhttps://lore.kernel.org/linux-cve-announce/2025100429-CVE-2023-53598-cbd8@gregkh/T" ], "name" : "CVE-2023-53598", "csaw" : false }