{
  "threat_severity" : "Moderate",
  "public_date" : "2025-12-30T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: crypto: qat - fix out-of-bounds read",
    "id" : "2426061",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2426061"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-131",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ncrypto: qat - fix out-of-bounds read\nWhen preparing an AER-CTR request, the driver copies the key provided by\nthe user into a data structure that is accessible by the firmware.\nIf the target device is QAT GEN4, the key size is rounded up by 16 since\na rounded up size is expected by the device.\nIf the key size is rounded up before the copy, the size used for copying\nthe key might be bigger than the size of the region containing the key,\ncausing an out-of-bounds read.\nFix by doing the copy first and then update the keylen.\nThis is to fix the following warning reported by KASAN:\n[  138.150574] BUG: KASAN: global-out-of-bounds in qat_alg_skcipher_init_com.isra.0+0x197/0x250 [intel_qat]\n[  138.150641] Read of size 32 at addr ffffffff88c402c0 by task cryptomgr_test/2340\n[  138.150651] CPU: 15 PID: 2340 Comm: cryptomgr_test Not tainted 6.2.0-rc1+ #45\n[  138.150659] Hardware name: Intel Corporation ArcherCity/ArcherCity, BIOS EGSDCRB1.86B.0087.D13.2208261706 08/26/2022\n[  138.150663] Call Trace:\n[  138.150668]  <TASK>\n[  138.150922]  kasan_check_range+0x13a/0x1c0\n[  138.150931]  memcpy+0x1f/0x60\n[  138.150940]  qat_alg_skcipher_init_com.isra.0+0x197/0x250 [intel_qat]\n[  138.151006]  qat_alg_skcipher_init_sessions+0xc1/0x240 [intel_qat]\n[  138.151073]  crypto_skcipher_setkey+0x82/0x160\n[  138.151085]  ? prepare_keybuf+0xa2/0xd0\n[  138.151095]  test_skcipher_vec_cfg+0x2b8/0x800", "An out-of-bounds read vulnerability was found in the Linux kernel's Intel QAT (QuickAssist Technology) crypto driver. When preparing an AES-CTR encryption request on QAT GEN4 devices, the driver rounds up the key size by 16 bytes before copying. If this rounding occurs before the memcpy operation, the driver reads beyond the bounds of the user-provided key buffer." ],
  "statement" : "This flaw affects systems with Intel QAT GEN4 hardware accelerators using the crypto API. The out-of-bounds read occurs during cipher key setup and could potentially leak kernel memory contents or cause a crash. Exploitation requires local access and the ability to configure cryptographic operations on QAT devices.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-05-30T00:00:00Z",
    "advisory" : "RHSA-2023:3349",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-477.13.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-11-14T00:00:00Z",
    "advisory" : "RHSA-2023:7077",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-513.5.1.el8_9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-06-21T00:00:00Z",
    "advisory" : "RHSA-2023:3723",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.18.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-06-21T00:00:00Z",
    "advisory" : "RHSA-2023:3723",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.18.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-54325\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-54325\nhttps://lore.kernel.org/linux-cve-announce/2025123016-CVE-2023-54325-3e5c@gregkh/T" ],
  "name" : "CVE-2023-54325",
  "mitigation" : {
    "value" : "To mitigate this issue, prevent the intel_qat module from being loaded. See https://access.redhat.com/solutions/41278 for instructions.",
    "lang" : "en:us"
  },
  "csaw" : false
}