CVE-2023-53802

Vulnerability

Description

In the Linux kernel's ath9k_htc wireless driver, the function ath9k_htc_rx_msg() is responsible for handling received frames (skbs). According to the commit message, the function is documented to either free the provided skb or pass its management to another callback function. However, when no callback function is present, the skb is not freed, leading to a memory leak. This issue was discovered by the Linux Verification Center (linuxtesting.org) using Syzkaller [1][2][3].

Attack

Vector and Prerequisites

An attacker would need local access to the system and the ability to send crafted wireless frames to an interface managed by the ath9k_htc driver. The vulnerability is triggered when ath9k_htc_rx_msg() is called and no callback function is registered, causing the skb to be leaked. Syzkaller demonstrated that the leak can be reliably reproduced, indicating that an unprivileged local user could cause repeated memory exhaustion [1][2][3].

Impact

Successful exploitation results in a gradual memory leak, potentially leading to denial of service (DoS) as system memory becomes depleted. The kernel may become unstable or crash due to out-of-memory conditions. There is no indication of code execution or privilege escalation from this vulnerability.

Mitigation

Stable kernel updates containing the fix are available. The commit requires adding an explicit kfree_skb() call for the case where no callback exists. Users should apply the patch from the stable kernel tree to prevent the leak [1][2][3].