CVE-2023-53717
Description
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath9k: Fix potential stack-out-of-bounds write in ath9k_wmi_rsp_callback()
Fix a stack-out-of-bounds write that occurs in a WMI response callback function that is called after a timeout occurs in ath9k_wmi_cmd(). The callback writes to wmi->cmd_rsp_buf, a stack-allocated buffer that could no longer be valid when a timeout occurs. Set wmi->last_seq_id to 0 when a timeout occurred.
Found by a modified version of syzkaller.
BUG: KASAN: stack-out-of-bounds in ath9k_wmi_ctrl_rx Write of size 4 Call Trace: memcpy ath9k_wmi_ctrl_rx ath9k_htc_rx_msg ath9k_hif_usb_reg_in_cb __usb_hcd_giveback_urb usb_hcd_giveback_urb dummy_timer call_timer_fn run_timer_softirq __do_softirq irq_exit_rcu sysvec_apic_timer_interrupt
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stack-out-of-bounds write in the Linux kernel's ath9k WiFi driver can occur when a WMI command timeout triggers a callback that writes to an invalid stack buffer.
Vulnerability
A stack-out-of-bounds write vulnerability exists in the ath9k_wmi_rsp_callback() function of the Linux kernel's ath9k WiFi driver. When a WMI command times out in ath9k_wmi_cmd(), the callback may still execute and write to wmi->cmd_rsp_buf, a stack-allocated buffer that is no longer valid after the timeout. This can lead to memory corruption and potential exploitation [1][2].
Exploitation
An attacker with local access to the system can trigger this vulnerability by sending crafted WMI commands to the ath9k device, possibly via USB or network interactions. The bug is a race condition where a timeout occurs before the callback completes, causing the callback to write to freed stack memory. No special privileges are required beyond the ability to interact with the device [3].
Impact
Successful exploitation could result in a denial of service (system crash) or, in more severe cases, privilege escalation due to corruption of kernel memory. The issue was discovered using a modified version of the syzkaller fuzzer [4].
Mitigation
The fix has been applied to the Linux kernel stable branches. The patch sets wmi->last_seq_id to 0 when a timeout occurs, preventing the callback from writing to the stale buffer. Users should update to the latest kernel version that includes this commit [1][2][3][4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
889a33c3c847bae4933b4f17dbf6dc175a2b578b56b0a613a1af7eacfad458f28513d9520554048a72d7e8a2f35b98306Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- git.kernel.org/stable/c/1af7eacfad45149c54893a8a9df9e92ef89f0a90nvd
- git.kernel.org/stable/c/554048a72d7ecfdd58cc1bfb56e0a1864e64e82cnvd
- git.kernel.org/stable/c/78b56b0a613a87b61290b95be497fdfe2fe58aa6nvd
- git.kernel.org/stable/c/89a33c3c847b19b19205cde1d924df2a6c70d8ebnvd
- git.kernel.org/stable/c/8a2f35b9830692f7a616f2f627f943bc748af13anvd
- git.kernel.org/stable/c/8f28513d9520184059530c01a9f928a1b3809d3fnvd
- git.kernel.org/stable/c/ae4933b4f17de8e2b7ff6f91b17d3b0099a6d6bcnvd
- git.kernel.org/stable/c/bf6dc175a2b53098a69db1236d9d53982f4b1bc0nvd
News mentions
0No linked articles in our index yet.