CVE-2023-53833

Root

Cause

The vulnerability resides in the drm/i915 driver within the Linux kernel. The function intel_atomic_get_new_crtc_state can return a NULL pointer unless the corresponding CRTC state was previously obtained via intel_atomic_get_crtc_state. The code in question fails to check the return value for NULL before dereferencing it, leading to a NULL pointer dereference. This pattern of missing NULL checks has been identified and fixed in many similar locations within the driver [1].

Exploitation

An attacker would need to trigger a specific atomic modeset operation that causes intel_atomic_get_new_crtc_state to return NULL when the calling code does not expect it. The exact attack vector involves manipulating the display state in a way that bypasses prior calls to intel_atomic_get_crtc_state, likely requiring local access to the system or the ability to issue DRM IOCTLs. No authentication beyond normal user-space access to the DRM subsystem is mentioned in the sources.

Impact

Successful exploitation results in a NULL pointer dereference, which causes a kernel panic (denial of service). The description and patch note indicate that the issue was confirmed to cause a crash, but there is no indication of privilege escalation or data corruption. The impact is limited to system availability.

Mitigation

The fix has been applied to the Linux kernel stable tree (commit 1d5b09f8daf859247a1ea65b0d732a24d88980d8, also backported as commit a41d985902c153c31c616fe183cf2ee331e95ecb). Users should update their kernel to a version containing the patch. No workaround is mentioned; the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.