CVE-2023-54137Use of Uninitialized Resource in Linux

CWE-908Use of Uninitialized Resource7 documents6 sources
Severity
5.5MEDIUM
No vector
EPSS
0.0%
top 89.30%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
LinuxLinux KernelDebian Linux
Timeline
PublishedDec 24

Description

In the Linux kernel, the following vulnerability has been resolved: vfio/type1: fix cap_migration information leak Fix an information leak where an uninitialized hole in struct vfio_iommu_type1_info_cap_migration on the stack is exposed to userspace. The definition of struct vfio_iommu_type1_info_cap_migration contains a hole as shown in this pahole(1) output: struct vfio_iommu_type1_info_cap_migration { struct vfio_info_cap_header header; /* 0 8 */ __u32 flags; /* 8 4 */ /* XXX 4 bytes hol

Affected Packages4 packages

Linuxlinux/linux_kernel5.8.05.10.195+4
Debianlinux/linux_kernel< 5.10.197-1+3
CVEListV5linux/linuxad721705d09c62f0d108a6b4f59867ebfd592c90ad83d83dd891244de0d07678b257dc976db7c132+6
debiandebian/linux< linux 6.1.55-1 (bookworm)

🔴Vulnerability Details

3
OSV
vfio/type1: fix cap_migration information leak2025-12-24
OSV
CVE-2023-54137: In the Linux kernel, the following vulnerability has been resolved: vfio/type1: fix cap_migration information leak Fix an information leak where an un2025-12-24
GHSA
GHSA-78pw-r9wg-6p38: In the Linux kernel, the following vulnerability has been resolved: vfio/type1: fix cap_migration information leak Fix an information leak where an2025-12-24

📋Vendor Advisories

2
Red Hat
kernel: Linux kernel: Information disclosure in VFIO Type1 module via uninitialized stack memory2025-12-24
Debian
CVE-2023-54137: linux - In the Linux kernel, the following vulnerability has been resolved: vfio/type1:...2023

🕵️Threat Intelligence

1
Wiz
CVE-2023-54137 Impact, Exploitability, and Mitigation Steps | Wiz