CVE-2023-53840

Vulnerability

Overview

CVE-2023-53840 is a memory safety flaw in the Linux kernel's early USB xHCI debug capability (xhci-dbc) driver. The root cause lies in the xdbc_trace() function: if xdbc_bulk_write() fails, the contents of the static buf array are indeterminate and not guaranteed to be NULL-terminated. When xdbc_trace() subsequently processes this buffer, it may read past the intended boundaries, leading to an out-of-bounds memory access [1].

Attack

Vector and Impact

The vulnerability is triggerable during early USB debug output, which is enabled only when the kernel is booted with specific debug parameters. An attacker would need local access to the system or control over the USB debug connection to induce a failure in xdbc_bulk_write(). However, the primary impact is a potential denial of service (system crash or memory corruption) rather than privilege escalation, as the bug lies in a debugging subsystem that is not exposed to unprivileged users by default.

Mitigation

The fix, merged into the stable kernel tree, reserves an extra byte in the static buf variable, which is automatically zeroed due to its static storage class [1]. This ensures that even if xdbc_bulk_write() fails, the buffer remains NULL-terminated, preventing the out-of-bounds read. Users should apply the latest stable kernel updates to address this issue.