VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 30, 2025· Updated Apr 15, 2026

CVE-2023-54287

CVE-2023-54287

Description

In the Linux kernel, the following vulnerability has been resolved:

tty: serial: imx: disable Ageing Timer interrupt request irq

There maybe pending USR interrupt before requesting irq, however uart_add_one_port has not executed, so there will be kernel panic: [ 0.795668] Unable to handle kernel NULL pointer dereference at virtual addre ss 0000000000000080 [ 0.802701] Mem abort info: [ 0.805367] ESR = 0x0000000096000004 [ 0.808950] EC = 0x25: DABT (current EL), IL = 32 bits [ 0.814033] SET = 0, FnV = 0 [ 0.816950] EA = 0, S1PTW = 0 [ 0.819950] FSC = 0x04: level 0 translation fault [ 0.824617] Data abort info: [ 0.827367] ISV = 0, ISS = 0x00000004 [ 0.831033] CM = 0, WnR = 0 [ 0.833866] [0000000000000080] user address but active_mm is swapper [ 0.839951] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 0.845953] Modules linked in: [ 0.848869] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.1.1+g56321e101aca #1 [ 0.855617] Hardware name: Freescale i.MX8MP EVK (DT) [ 0.860452] pstate: 000000c5 (nzcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 0.867117] pc : __imx_uart_rxint.constprop.0+0x11c/0x2c0 [ 0.872283] lr : imx_uart_int+0xf8/0x1ec

The issue only happends in the inmate linux when Jailhouse hypervisor enabled. The test procedure is: while true; do jailhouse enable imx8mp.cell jailhouse cell linux xxxx sleep 10 jailhouse cell destroy 1 jailhouse disable sleep 5 done

And during the upper test, press keys to the 2nd linux console. When jailhouse cell destroy 1, the 2nd linux has no chance to put the uart to a quiese state, so USR1/2 may has pending interrupts. Then when jailhosue cell linux xx to start 2nd linux again, the issue trigger.

In order to disable irqs before requesting them, both UCR1 and UCR2 irqs should be disabled, so here fix that, disable the Ageing Timer interrupt in UCR2 as UCR1 does.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A kernel NULL pointer dereference in imx serial driver when an ageing timer interrupt fires before port registration, triggered during Jailhouse cell lifecycle.

Vulnerability

CVE-2023-54287 is a NULL pointer dereference vulnerability in the i.MX UART serial driver (drivers/tty/serial/imx.c) within the Linux kernel. The root cause is that the Ageing Timer interrupt in the UCR2 register is not disabled before the interrupt request is registered, whereas the UCR1 interrupt is correctly disabled. During certain scenarios—specifically when a Jailhouse hypervisor cell is destroyed and recreated—pending USR1/USR2 interrupts from a previous instance can remain. If such an interrupt fires after the new driver instance requests the IRQ but before uart_add_one_port completes (which allocates necessary data structures), the handler dereferences a NULL pointer, leading to a kernel panic [1].

Exploitation

The attack surface requires a system using the Jailhouse hypervisor with an i.MX8MP platform. The sequence involves repeatedly destroying and recreating a Jailhouse cell that runs a Linux inmate, while simultaneously sending keystrokes to the inmate’s UART console. The destruction phase does not quiesce the UART, leaving Ageing Timer interrupts pending. Upon cell recreation, the new kernel's serial driver requests the IRQ before the port is fully added, allowing a stale interrupt to trigger the crash [1].

Impact

An attacker with the ability to control Jailhouse cell lifecycle and inject UART input can cause a denial of service (system crash) on the host or inmate kernel. The vulnerability manifests as a kernel NULL pointer dereference that prevents the system from booting or operating normally. No privilege escalation or data integrity impact is described.

Mitigation

The fix, committed to the Linux kernel stable tree, disables the Ageing Timer interrupt in UCR2 prior to requesting the IRQ, mirroring the existing protection for UCR1. The patch is identified by commit 9795ece3a85ba9238191e97665586e2d79703ff3 and has been incorporated into upstream and stable kernel releases [1]. Users are advised to update their kernel to a version containing this fix.

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

4
3d41d9b256ae
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
9795ece3a85b
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
963875b06551
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
ef25e16ea967
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.