{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2023-53822", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-12-09T01:27:17.824Z", "datePublished": "2025-12-09T01:29:35.206Z", "dateUpdated": "2025-12-20T08:51:27.266Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-12-20T08:51:27.266Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: Ignore frags from uninitialized peer in dp.\n\nWhen max virtual ap interfaces are configured in all the bands with\nACS and hostapd restart is done every 60s, a crash is observed at\nrandom times.\nIn this certain scenario, a fragmented packet is received for\nself peer, for which rx_tid and rx_frags are not initialized in\ndatapath. While handling this fragment, crash is observed as the\nrx_frag list is uninitialised and when we walk in\nath11k_dp_rx_h_sort_frags, skb null leads to exception.\n\nTo address this, before processing received fragments we check\ndp_setup_done flag is set to ensure that peer has completed its\ndp peer setup for fragment queue, else ignore processing the\nfragments.\n\nCall trace:\n ath11k_dp_process_rx_err+0x550/0x1084 [ath11k]\n ath11k_dp_service_srng+0x70/0x370 [ath11k]\n 0xffffffc009693a04\n __napi_poll+0x30/0xa4\n net_rx_action+0x118/0x270\n __do_softirq+0x10c/0x244\n irq_exit+0x64/0xb4\n __handle_domain_irq+0x88/0xac\n gic_handle_irq+0x74/0xbc\n el1_irq+0xf0/0x1c0\n arch_cpu_idle+0x10/0x18\n do_idle+0x104/0x248\n cpu_startup_entry+0x20/0x64\n rest_init+0xd0/0xdc\n arch_call_rest_init+0xc/0x14\n start_kernel+0x480/0x4b8\n Code: f9400281 f94066a2 91405021 b94a0023 (f9406401)\n\nTested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/ath/ath11k/dp.c", "drivers/net/wireless/ath/ath11k/dp_rx.c", "drivers/net/wireless/ath/ath11k/peer.h"], "versions": [{"version": "d5c65159f2895379e11ca13f62feabe93278985d", "lessThan": "e78526a06b53718bfc1dfff37864c7760e41f8ec", "status": "affected", "versionType": "git"}, {"version": "d5c65159f2895379e11ca13f62feabe93278985d", "lessThan": "41efc47f5bc53e63461579e206adc17c4452ab6e", "status": "affected", "versionType": "git"}, {"version": "d5c65159f2895379e11ca13f62feabe93278985d", "lessThan": "a06bfb3c9f69f303692cdae87bc0899d2ae8b2a6", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/ath/ath11k/dp.c", "drivers/net/wireless/ath/ath11k/dp_rx.c", "drivers/net/wireless/ath/ath11k/peer.h"], "versions": [{"version": "5.6", "status": "affected"}, {"version": "0", "lessThan": "5.6", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.30", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.3.4", "lessThanOrEqual": "6.3.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.4", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6", "versionEndExcluding": "6.1.30"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6", "versionEndExcluding": "6.3.4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6", "versionEndExcluding": "6.4"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/e78526a06b53718bfc1dfff37864c7760e41f8ec"}, {"url": "https://git.kernel.org/stable/c/41efc47f5bc53e63461579e206adc17c4452ab6e"}, {"url": "https://git.kernel.org/stable/c/a06bfb3c9f69f303692cdae87bc0899d2ae8b2a6"}], "title": "wifi: ath11k: Ignore frags from uninitialized peer in dp.", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: Ignore frags from uninitialized peer in dp.\n\nWhen max virtual ap interfaces are configured in all the bands with\nACS and hostapd restart is done every 60s, a crash is observed at\nrandom times.\nIn this certain scenario, a fragmented packet is received for\nself peer, for which rx_tid and rx_frags are not initialized in\ndatapath. While handling this fragment, crash is observed as the\nrx_frag list is uninitialised and when we walk in\nath11k_dp_rx_h_sort_frags, skb null leads to exception.\n\nTo address this, before processing received fragments we check\ndp_setup_done flag is set to ensure that peer has completed its\ndp peer setup for fragment queue, else ignore processing the\nfragments.\n\nCall trace:\n ath11k_dp_process_rx_err+0x550/0x1084 [ath11k]\n ath11k_dp_service_srng+0x70/0x370 [ath11k]\n 0xffffffc009693a04\n __napi_poll+0x30/0xa4\n net_rx_action+0x118/0x270\n __do_softirq+0x10c/0x244\n irq_exit+0x64/0xb4\n __handle_domain_irq+0x88/0xac\n gic_handle_irq+0x74/0xbc\n el1_irq+0xf0/0x1c0\n arch_cpu_idle+0x10/0x18\n do_idle+0x104/0x248\n cpu_startup_entry+0x20/0x64\n rest_init+0xd0/0xdc\n arch_call_rest_init+0xc/0x14\n start_kernel+0x480/0x4b8\n Code: f9400281 f94066a2 91405021 b94a0023 (f9406401)\n\nTested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1"}], "id": "CVE-2023-53822", "lastModified": "2025-12-09T18:37:13.640", "metrics": {}, "published": "2025-12-09T16:17:20.993", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/41efc47f5bc53e63461579e206adc17c4452ab6e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a06bfb3c9f69f303692cdae87bc0899d2ae8b2a6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e78526a06b53718bfc1dfff37864c7760e41f8ec"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: wifi: ath11k: Ignore frags from uninitialized peer in dp", "id": "2420368", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2420368"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-665", "details": ["No description is available for this CVE."], "name": "CVE-2023-53822", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-12-09T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-53822\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53822\nhttps://lore.kernel.org/linux-cve-announce/2025120950-CVE-2023-53822-c4da@gregkh/T"], "statement": "The issue in the ath11k driver allowed a NULL pointer dereference when fragmented Wi-Fi frames were received before datapath initialization for a peer. This could cause a kernel crash during packet processing.\nAn attacker with local administrative access or control over the wireless interface (e.g., repeatedly restarting hostapd with multiple virtual APs) could trigger the race condition, leading to a denial of service (system crash).", "threat_severity": "Moderate"}

{}