{ "threat_severity" : "Important", "public_date" : "2025-12-30T00:00:00Z", "bugzilla" : { "description" : "kernel: wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace", "id" : "2426235", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2426235" }, "cvss3" : { "cvss3_base_score" : "7.0", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-121", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nwifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace\nA received TKIP key may be up to 32 bytes because it may contain\nMIC rx/tx keys too. These are not used by iwl and copying these\nover overflows the iwl_keyinfo.key field.\nAdd a check to not copy more data to iwl_keyinfo.key then will fit.\nThis fixes backtraces like this one:\nmemcpy: detected field-spanning write (size 32) of single field \"sta_cmd.key.key\" at drivers/net/wireless/intel/iwlwifi/dvm/sta.c:1103 (size 16)\nWARNING: CPU: 1 PID: 946 at drivers/net/wireless/intel/iwlwifi/dvm/sta.c:1103 iwlagn_send_sta_key+0x375/0x390 [iwldvm]\n\nHardware name: Dell Inc. Latitude E6430/0H3MT5, BIOS A21 05/08/2017\nRIP: 0010:iwlagn_send_sta_key+0x375/0x390 [iwldvm]\n\nCall Trace:\n\niwl_set_dynamic_key+0x1f0/0x220 [iwldvm]\niwlagn_mac_set_key+0x1e4/0x280 [iwldvm]\ndrv_set_key+0xa4/0x1b0 [mac80211]\nieee80211_key_enable_hw_accel+0xa8/0x2d0 [mac80211]\nieee80211_key_replace+0x22d/0x8e0 [mac80211]\n", "A vulnerability was discovered in the Intel wireless iwlwifi driver in the Linux kernel that could lead to a buffer overflow in the Driver Virtualization Module key handling code. When processing a received TKIP key that includes MIC rx/tx components, the driver did not adequately limit the amount of key data copied into the fixed-length iwl_keyinfo.key field, potentially causing a field-spanning write and kernel backtrace (crash)." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2023-11-14T00:00:00Z", "advisory" : "RHSA-2023:7077", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-513.5.1.el8_9" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-54286\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-54286\nhttps://lore.kernel.org/linux-cve-announce/2025123027-CVE-2023-54286-efd5@gregkh/T" ], "name" : "CVE-2023-54286", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }