CVE-2023-53721

Vulnerability

Description

In the Linux kernel's ath12k wireless driver, the function ath12k_mac_op_hw_scan() allocates memory via kzalloc() for the arg.extraie.ptr field and then directly uses it in a memcpy() call without checking if the allocation succeeded. If kzalloc() fails (e.g., under memory pressure), the pointer is NULL, leading to a NULL pointer dereference when memcpy() attempts to write to it [1].

Exploitation

This vulnerability is triggered during a hardware scan operation on affected ath12k-based Wi-Fi devices (e.g., WCN7850). An attacker with local access and the ability to trigger a scan (e.g., via iw commands or network management tools) could exploit this by inducing memory exhaustion to cause kzalloc() to fail. No special privileges beyond the ability to initiate a Wi-Fi scan are required, as the driver is reachable from user space through standard nl80211 interfaces.

Impact

A successful exploit results in a kernel NULL pointer dereference, causing a system crash (denial of service). The vulnerability does not appear to allow arbitrary code execution or privilege escalation, as the dereference occurs in kernel context and leads to an immediate oops or panic.

Mitigation

Mitigation

The fix adds a check for arg.extraie.ptr after allocation, returning an error if it is NULL, preventing the dereference. The patch has been applied to the Linux kernel stable tree [1]. Users should update to a kernel version containing the fix (e.g., commit 8ad314da54c6). No workaround is available; updating the kernel is the recommended mitigation.