CVE-2023-53185Improper Validation of Specified Index, Position, or Offset in Input in Linux

CWE-1285Improper Validation of Specified Index, Position, or Offset in Input5 documents5 sources
Severity
5.5MEDIUMNVD
EPSS
0.0%
top 96.24%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
LinuxLinux KernelDebian Linux
Timeline
PublishedSep 15

Description

In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: don't allow to overwrite ENDPOINT0 attributes A bad USB device is able to construct a service connection response message with target endpoint being ENDPOINT0 which is reserved for HTC_CTRL_RSVD_SVC and should not be modified to be used for any other services. Reject such service connection responses. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages4 packages

NVDlinux/linux_kernel2.6.354.14.322+7
Debianlinux/linux_kernel< 5.10.191-1+3
CVEListV5linux/linuxfb9987d0f748c983bb795a86f47522313f701a08db8df00cd6d801b3abdb145201c2bdd1c665f585+9
debiandebian/linux< linux 6.1.52-1 (bookworm)

Patches

Patch: git.kernel.orgPatch: git.kernel.orgPatch: git.kernel.org

🔴Vulnerability Details

2
OSV
CVE-2023-53185: In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: don't allow to overwrite ENDPOINT0 attributes A bad USB device is abl2025-09-15
GHSA
GHSA-mj4m-3482-q62h: In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: don't allow to overwrite ENDPOINT0 attributes A bad USB device is a2025-09-15

📋Vendor Advisories

2
Red Hat
kernel: wifi: ath9k: don't allow to overwrite ENDPOINT0 attributes2025-09-15
Debian
CVE-2023-53185: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k...2023
CVE-2023-53185 — Linux vulnerability | cvebase