CVE-2023-53019
Published: 27 March 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2023-53019 is a vulnerability in the Linux kernel's MDIO subsystem, specifically in the mdiobus_get_phy() function, where the addr parameter is not properly validated. This can lead to an out-of-bounds access in the mdio_map array, as callers like stmmac_init_phy() may pass invalid values such as -1. The issue is classified under CWE-129 (Improper Validation of Array Index) with a CVSS v3.1 base score of 7.8.
A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of user interaction requirements (AV:L/AC:L/PR:L/UI:N/S:U). Successful exploitation could result in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), potentially allowing arbitrary code execution, data corruption, or system crashes through the out-of-bounds memory access.
Mitigation involves applying the upstream patches referenced in the stable kernel commit logs, such as those at https://git.kernel.org/stable/c/1d80c259dfbadefa61b7ea334dfce5cb57f8c72f and similar backports, which add validation of the addr parameter before accessing the mdio_map array. Security practitioners should update affected Linux kernels to incorporate these fixes.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The kernel memory corruption vulnerability (out-of-bounds array access) directly enables local privilege escalation by allowing a low-privileged attacker to achieve arbitrary code execution or system compromise.