VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 8, 2025· Updated Apr 15, 2026

CVE-2023-53761

CVE-2023-53761

Description

In the Linux kernel, the following vulnerability has been resolved:

USB: usbtmc: Fix direction for 0-length ioctl control messages

The syzbot fuzzer found a problem in the usbtmc driver: When a user submits an ioctl for a 0-length control transfer, the driver does not check that the direction is set to OUT:

------------[ cut here ]------------ usb 3-1: BOGUS control dir, pipe 80000b80 doesn't match bRequestType fd WARNING: CPU: 0 PID: 5100 at drivers/usb/core/urb.c:411 usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411 Modules linked in: CPU: 0 PID: 5100 Comm: syz-executor428 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 RIP: 0010:usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411 Code: 7c 24 40 e8 1b 13 5c fb 48 8b 7c 24 40 e8 21 1d f0 fe 45 89 e8 44 89 f1 4c 89 e2 48 89 c6 48 c7 c7 e0 b5 fc 8a e8 19 c8 23 fb <0f> 0b e9 9f ee ff ff e8 ed 12 5c fb 0f b6 1d 12 8a 3c 08 31 ff 41 RSP: 0018:ffffc90003d2fb00 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff8880789e9058 RCX: 0000000000000000 RDX: ffff888029593b80 RSI: ffffffff814c1447 RDI: 0000000000000001 RBP: ffff88801ea742f8 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: ffff88802915e528 R13: 00000000000000fd R14: 0000000080000b80 R15: ffff8880222b3100 FS: 0000555556ca63c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f9ef4d18150 CR3: 0000000073e5b000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace:

usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58 usb_internal_control_msg drivers/usb/core/message.c:102 [inline] usb_control_msg+0x320/0x4a0 drivers/usb/core/message.c:153 usbtmc_ioctl_request drivers/usb/class/usbtmc.c:1954 [inline] usbtmc_ioctl+0x1b3d/0x2840 drivers/usb/class/usbtmc.c:2097

To fix this, we must override the direction in the bRequestType field of the control request structure when the length is 0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A missing direction check in the Linux kernel's USB usbtmc driver for 0-length control transfers allows local users to trigger a kernel warning, leading to a denial of service.

Vulnerability

Description

The vulnerability resides in the Linux kernel's USB Test and Measurement Class (usbtmc) driver. When processing ioctl commands for 0-length control transfers, the driver fails to verify that the transfer direction is set to OUT. A user with access to the usbtmc device can submit a control message with an incorrect direction (e.g., IN), triggering the kernel warning "BOGUS control dir" in usb_submit_urb().

Exploitation

An attacker with local access to the system and the ability to interact with the usbtmc device can send a specially crafted ioctl to provoke the bug. No authentication is required beyond the ability to open the device file (typically requiring root or appropriate permissions). The syzbot fuzzer demonstrated that the issue is reachable from user space.

Impact

The primary impact is a denial of service, as the kernel warning may cause system instability or a panic. Additionally, the unexpected behavior could lead to further vulnerabilities if the warning is not handled correctly.

Mitigation

The Linux kernel has backported fixes to stable trees. Users should apply the patches committed as 6340e432cf70 [1], 50775a046c68 [2], and 94d25e912898 [3] for kernels 6.3.x or newer. Updating to a kernel containing these patches resolves the issue.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3

Patches

6
7cef7681aa77
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
6340e432cf70
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
3b43d9df27a7
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
0ced12bdf624
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
50775a046c68
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
94d25e912898
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.