CVE-2023-54295
Description
In the Linux kernel, the following vulnerability has been resolved:
mtd: spi-nor: Fix shift-out-of-bounds in spi_nor_set_erase_type
spi_nor_set_erase_type() was used either to set or to mask out an erase type. When we used it to mask out an erase type a shift-out-of-bounds was hit: UBSAN: shift-out-of-bounds in drivers/mtd/spi-nor/core.c:2237:24 shift exponent 4294967295 is too large for 32-bit type 'int'
The setting of the size_{shift, mask} and of the opcode are unnecessary when the erase size is zero, as throughout the code just the erase size is considered to determine whether an erase type is supported or not. Setting the opcode to 0xFF was wrong too as nobody guarantees that 0xFF is an unused opcode. Thus when masking out an erase type, just set the erase size to zero. This will fix the shift-out-of-bounds.
[ta: refine changes, new commit message, fix compilation error]
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2023-54295 describes a shift-out-of-bounds bug in Linux kernel's spi-nor driver when masking out an erase type, which can be triggered via malformed SPI NOR flash operations.
Vulnerability
Overview
CVE-2023-54295 is a shift-out-of-bounds vulnerability in the Linux kernel's SPI NOR flash driver, specifically in the spi_nor_set_erase_type() function. The function was used both to set or to mask out an erase type. When masking out an erase type, the erase size was zero but the code still attempted to compute the size shift and mask using the value, leading to an undefined behavior detected by UBSAN as a shift exponent of 4294967295 (0xFFFFFFFF) for a 32-bit integer shift.
Exploitation
The vulnerability can be triggered by any operation that causes the driver to mask out an erase type, such as when parsing a flash device's parameters or handling an unsupported erase command. No authentication is required beyond having local access to the system or the ability to interact with the SPI NOR device, typically through a kernel interface or by physically connecting a malicious flash chip. The bug is reachable from user space via control of flash partitions or configuration, though the affected code path is exercised during device initialization or reconfiguration.
Impact
An attacker able to trigger this bug causes an undefined behavior due to a shift-out-of-bounds, which may lead to a kernel crash (denial of service) or potentially corrupt memory and enable privilege escalation. The impact is limited to systems with SPI NOR flash devices, but the bug can be exploited without needing any special privileges beyond the ability to mount or configure MTD partitions.
Mitigation
The fix was applied in the Linux kernel stable commit [1] and [2], which changes the behavior so that when an erase type is disabled (size zero), the size_shift, size_mask, and opcode are no longer set unnecessarily. This avoids any arithmetic on zero-sized erase types. Users should update to a kernel version containing these commits or apply the patch to their kernel source.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
5e6409208c13f61d44a4db2f553b2916ebde799341b8aee7bf0f0cfdc3a02Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/53b2916ebde741c657a857fa1936c0d9fcb59170nvd
- git.kernel.org/stable/c/61d44a4db2f54dbac7d22c2541574ea5755e0468nvd
- git.kernel.org/stable/c/99341b8aee7b5b4255b339345bbcaa35867dfd0cnvd
- git.kernel.org/stable/c/e6409208c13f7c56adc12dd795abf4141e3d5e64nvd
- git.kernel.org/stable/c/f0f0cfdc3a024e21161714f2e05f0df3b84d42adnvd
News mentions
0No linked articles in our index yet.