CVE-2023-54191

Vulnerability

Description

A memory leak vulnerability exists in the Linux kernel's mt76 wireless driver, specifically in the mt7996 chipset support. The issue resides in the mt7996_mcu_exit function, which is responsible for cleaning up MCU (Micro-Controller Unit) related resources during driver exit or error handling. The bug is that the function fails to always purge the MCU skb (socket buffer) queues when mt7996_firmware_state fails, leading to a memory leak.

Exploitation & Attack Surface

Exploitation of this vulnerability requires local access to the system and the ability to trigger the driver's unload or error recovery path in a way that causes mt7996_firmware_state fails. The attack surface is limited to systems using the affected MediaTek MT7996 Wi-Fi chipsets, likely in enterprise or high-end consumer routers or embedded devices. No authentication is needed beyond local access, but the attacker must be able to influence driver state transitions, possibly by manipulating firmware execution or causing errors during driver operations.

Impact

An attacker successfully triggering the memory leak repeatedly could exhaust kernel memory, potentially leading to denial of service (DoS) on the affected system. The leak is within the skb queue structures; each leaked memory is not freed until system reboot, so sustained triggering could degrade performance or crash the system.

Mitigation

The fix, committed to the Linux kernel stable tree, ensures that the skb queues are purged regardless of the return value of mt7996_firmware_state. Users should apply kernel updates containing this commit [1]. No workaround is known other than patching. The vulnerability is not known to be exploited in the wild and is not listed on CISA KEV.