CVE-2023-53787

Vulnerability

Description

CVE-2023-53787 is a null pointer dereference vulnerability in the Linux kernel's regulator subsystem, specifically in the da9063 regulator driver. The root cause is that when some regulators do not have corresponding Device Tree (DT) nodes, their init_data pointer is NULL. The function da9063_check_xvp_constraints() then uses this NULL pointer to compute other pointers, leading to an invalid memory dereference and a kernel crash on boot.

Exploitation and

Attack Surface

This vulnerability is triggered during system boot when a device uses a partial DT configuration that omits nodes for some of the da9063 regulators. No authentication or special privileges are required; the condition occurs automatically at boot time. An attacker who can influence the DT configuration (e.g., by providing a malicious device tree overlay or bootloader configuration) could induce the crash, causing a denial of service (DoS) on the system.

Impact and

Mitigation

The impact is a denial of service where the system fails to boot or becomes unstable due to a kernel panic. The bug was fixed in a kernel commit [1] by adding a NULL pointer check before dereferencing the init_data pointer. Users should apply the patch from the stable kernel releases. No known exploitation in the wild has been reported, and this CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.

[1]: https://git.kernel.org/stable/c/98e2dd5f7a8be5cb2501a897e96910393a49f0ff