CVE-2023-54198
Description
In the Linux kernel, the following vulnerability has been resolved:
tty: fix out-of-bounds access in tty_driver_lookup_tty()
When specifying an invalid console= device like console=tty3270, tty_driver_lookup_tty() returns the tty struct without checking whether index is a valid number.
To reproduce:
qemu-system-x86_64 -enable-kvm -nographic -serial mon:stdio \ -kernel ../linux-build-x86/arch/x86/boot/bzImage \ -append "console=ttyS0 console=tty3270"
This crashes with:
[ 0.770599] BUG: kernel NULL pointer dereference, address: 00000000000000ef [ 0.771265] #PF: supervisor read access in kernel mode [ 0.771773] #PF: error_code(0x0000) - not-present page [ 0.772609] Oops: 0000 [#1] PREEMPT SMP PTI [ 0.774878] RIP: 0010:tty_open+0x268/0x6f0 [ 0.784013] chrdev_open+0xbd/0x230 [ 0.784444] ? cdev_device_add+0x80/0x80 [ 0.784920] do_dentry_open+0x1e0/0x410 [ 0.785389] path_openat+0xca9/0x1050 [ 0.785813] do_filp_open+0xaa/0x150 [ 0.786240] file_open_name+0x133/0x1b0 [ 0.786746] filp_open+0x27/0x50 [ 0.787244] console_on_rootfs+0x14/0x4d [ 0.787800] kernel_init_freeable+0x1e4/0x20d [ 0.788383] ? rest_init+0xc0/0xc0 [ 0.788881] kernel_init+0x11/0x120 [ 0.789356] ret_from_fork+0x22/0x30
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Out-of-bounds access in tty_driver_lookup_tty() in Linux kernel due to missing index validation when an invalid console= device is specified.
Vulnerability
In the Linux kernel, an out-of-bounds access vulnerability exists in the tty_driver_lookup_tty() function. When an invalid console= device string (e.g., console=tty3270) is specified during boot, the function returns a tty struct without verifying that the index is within valid bounds. This can lead to a NULL pointer dereference and system crash [1][2][3].
Exploitation
The attack vector is local, requiring the ability to pass kernel boot parameters. An attacker with access to the boot loader configuration or kernel command line can trigger the vulnerability by setting an invalid console device. No authentication is needed as boot parameters are set before user login.
Impact
Successful exploitation results in a denial of service, as demonstrated by a kernel NULL pointer dereference and subsequent system crash. The crash occurs during early boot when the kernel attempts to open the console device.
Mitigation
The vulnerability has been fixed in the Linux kernel stable releases. Patches are available in the Git repository [1][2][3]. Affected systems should update to the latest stable kernel version to mitigate the issue.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
83df6f492f500b79109d6470a953a4a352a0c84ea44dc3e4ef9d9d25ad1f0765566110eb0fcfeaa570f7adb4df8e9d79eVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- git.kernel.org/stable/c/3df6f492f500a16c231f07ccc6f6ed1302caddf9nvd
- git.kernel.org/stable/c/765566110eb0da3cf60198b0165ecceeaafa6444nvd
- git.kernel.org/stable/c/84ea44dc3e4ecb2632586238014bf6722aa5843bnvd
- git.kernel.org/stable/c/953a4a352a0c185460ae1449e4c6e6658e55fdfcnvd
- git.kernel.org/stable/c/b79109d6470aaae7062998353e3a19449055829dnvd
- git.kernel.org/stable/c/db4df8e9d79e7d37732c1a1b560958e8dadfefa1nvd
- git.kernel.org/stable/c/f9d9d25ad1f0d060eaf297a2f7f03b5855a45561nvd
- git.kernel.org/stable/c/fcfeaa570f7a5c2d5f4f14931909531ff18b7fdenvd
News mentions
0No linked articles in our index yet.