CVE-2023-54275

Vulnerability

In the Linux kernel's ath11k wireless driver, the function ath11k_peer_rx_frag_setup allocates a cryptographic hash (shash) via crypto_alloc_shash(). If the subsequent call to ath11k_peer_find() fails, the allocated resources are not released, leading to a memory leak [1].

Exploitation

This vulnerability is triggered during the processing of received fragmented frames on an ath11k device. An attacker on the same Wi-Fi network could potentially cause the ath11k_peer_find() to fail by sending crafted frames, thereby repeatedly triggering the leak. No special privileges are required beyond being able to send Wi-Fi frames to the target device.

Impact

Repeated exploitation can exhaust kernel memory, leading to denial of service (system instability or crash). The leak does not directly allow code execution or privilege escalation.

Mitigation

The fix adds a call `crypto_free_shash() before returning on failure, which has been applied to the stable kernel tree [2]. Users should update to a kernel version containing the commit that resolves CVE-2023-54275.