{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2023-53582","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-10-04T15:14:15.926Z","datePublished":"2025-10-04T15:43:58.493Z","dateUpdated":"2026-05-11T19:47:51.395Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:47:51.395Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: ensure CLM version is null-terminated to prevent stack-out-of-bounds\n\nFix a stack-out-of-bounds read in brcmfmac that occurs\nwhen 'buf' that is not null-terminated is passed as an argument of\nstrreplace() in brcmf_c_preinit_dcmds(). This buffer is filled with\na CLM version string by memcpy() in brcmf_fil_iovar_data_get().\nEnsure buf is null-terminated.\n\nFound by a modified version of syzkaller.\n\n[   33.004414][ T1896] brcmfmac: brcmf_c_process_clm_blob: no clm_blob available (err=-2), device may have limited channels available\n[   33.013486][ T1896] brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM43236/3 wl0: Nov 30 2011 17:33:42 version 5.90.188.22\n[   33.021554][ T1896] ==================================================================\n[   33.022379][ T1896] BUG: KASAN: stack-out-of-bounds in strreplace+0xf2/0x110\n[   33.023122][ T1896] Read of size 1 at addr ffffc90001d6efc8 by task kworker/0:2/1896\n[   33.023852][ T1896]\n[   33.024096][ T1896] CPU: 0 PID: 1896 Comm: kworker/0:2 Tainted: G           O      5.14.0+ #132\n[   33.024927][ T1896] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014\n[   33.026065][ T1896] Workqueue: usb_hub_wq hub_event\n[   33.026581][ T1896] Call Trace:\n[   33.026896][ T1896]  dump_stack_lvl+0x57/0x7d\n[   33.027372][ T1896]  print_address_description.constprop.0.cold+0xf/0x334\n[   33.028037][ T1896]  ? strreplace+0xf2/0x110\n[   33.028403][ T1896]  ? strreplace+0xf2/0x110\n[   33.028807][ T1896]  kasan_report.cold+0x83/0xdf\n[   33.029283][ T1896]  ? strreplace+0xf2/0x110\n[   33.029666][ T1896]  strreplace+0xf2/0x110\n[   33.029966][ T1896]  brcmf_c_preinit_dcmds+0xab1/0xc40\n[   33.030351][ T1896]  ? brcmf_c_set_joinpref_default+0x100/0x100\n[   33.030787][ T1896]  ? rcu_read_lock_sched_held+0xa1/0xd0\n[   33.031223][ T1896]  ? rcu_read_lock_bh_held+0xb0/0xb0\n[   33.031661][ T1896]  ? lock_acquire+0x19d/0x4e0\n[   33.032091][ T1896]  ? find_held_lock+0x2d/0x110\n[   33.032605][ T1896]  ? brcmf_usb_deq+0x1a7/0x260\n[   33.033087][ T1896]  ? brcmf_usb_rx_fill_all+0x5a/0xf0\n[   33.033582][ T1896]  brcmf_attach+0x246/0xd40\n[   33.034022][ T1896]  ? wiphy_new_nm+0x1476/0x1d50\n[   33.034383][ T1896]  ? kmemdup+0x30/0x40\n[   33.034722][ T1896]  brcmf_usb_probe+0x12de/0x1690\n[   33.035223][ T1896]  ? brcmf_usbdev_qinit.constprop.0+0x470/0x470\n[   33.035833][ T1896]  usb_probe_interface+0x25f/0x710\n[   33.036315][ T1896]  really_probe+0x1be/0xa90\n[   33.036656][ T1896]  __driver_probe_device+0x2ab/0x460\n[   33.037026][ T1896]  ? usb_match_id.part.0+0x88/0xc0\n[   33.037383][ T1896]  driver_probe_device+0x49/0x120\n[   33.037790][ T1896]  __device_attach_driver+0x18a/0x250\n[   33.038300][ T1896]  ? driver_allows_async_probing+0x120/0x120\n[   33.038986][ T1896]  bus_for_each_drv+0x123/0x1a0\n[   33.039906][ T1896]  ? bus_rescan_devices+0x20/0x20\n[   33.041412][ T1896]  ? lockdep_hardirqs_on_prepare+0x273/0x3e0\n[   33.041861][ T1896]  ? trace_hardirqs_on+0x1c/0x120\n[   33.042330][ T1896]  __device_attach+0x207/0x330\n[   33.042664][ T1896]  ? device_bind_driver+0xb0/0xb0\n[   33.043026][ T1896]  ? kobject_uevent_env+0x230/0x12c0\n[   33.043515][ T1896]  bus_probe_device+0x1a2/0x260\n[   33.043914][ T1896]  device_add+0xa61/0x1ce0\n[   33.044227][ T1896]  ? __mutex_unlock_slowpath+0xe7/0x660\n[   33.044891][ T1896]  ? __fw_devlink_link_to_suppliers+0x550/0x550\n[   33.045531][ T1896]  usb_set_configuration+0x984/0x1770\n[   33.046051][ T1896]  ? kernfs_create_link+0x175/0x230\n[   33.046548][ T1896]  usb_generic_driver_probe+0x69/0x90\n[   33.046931][ T1896]  usb_probe_device+0x9c/0x220\n[   33.047434][ T1896]  really_probe+0x1be/0xa90\n[   33.047760][ T1896]  __driver_probe_device+0x2ab/0x460\n[   33.048134][ T1896]  driver_probe_device+0x49/0x120\n[   33.048516][ T1896]  __device_attach_driver+0x18a/0x250\n[   33.048910][ T1896]  ? driver_allows_async_probing+0x120/0x120\n---truncated---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c"],"versions":[{"version":"fdd0bd88ceaecf729db103ac8836af5805dd2dc1","lessThan":"3b173b4ad9c001a555f44adc7836d6fe3afbe9ec","status":"affected","versionType":"git"},{"version":"fdd0bd88ceaecf729db103ac8836af5805dd2dc1","lessThan":"423a1297ea72bbddf64dbb0957f2879c0f2aa5d0","status":"affected","versionType":"git"},{"version":"fdd0bd88ceaecf729db103ac8836af5805dd2dc1","lessThan":"0ca2efea4f11c6255061e852ac188264c469c197","status":"affected","versionType":"git"},{"version":"fdd0bd88ceaecf729db103ac8836af5805dd2dc1","lessThan":"a0f0ce1c8ab9fe90618dc394e3d1568b5a9ac154","status":"affected","versionType":"git"},{"version":"fdd0bd88ceaecf729db103ac8836af5805dd2dc1","lessThan":"ecb980dc79709c02f579a9c03cb92ccec189ab38","status":"affected","versionType":"git"},{"version":"fdd0bd88ceaecf729db103ac8836af5805dd2dc1","lessThan":"c02f733024d70105f22de8dd0a1252a0350cd516","status":"affected","versionType":"git"},{"version":"fdd0bd88ceaecf729db103ac8836af5805dd2dc1","lessThan":"660145d708be52f946a82e5b633c020f58f996de","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c"],"versions":[{"version":"4.15","status":"affected"},{"version":"0","lessThan":"4.15","status":"unaffected","versionType":"semver"},{"version":"4.19.276","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.235","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.173","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.99","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.16","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.2.3","lessThanOrEqual":"6.2.*","status":"unaffected","versionType":"semver"},{"version":"6.3","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15","versionEndExcluding":"4.19.276"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15","versionEndExcluding":"5.4.235"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15","versionEndExcluding":"5.10.173"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15","versionEndExcluding":"5.15.99"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15","versionEndExcluding":"6.1.16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15","versionEndExcluding":"6.2.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15","versionEndExcluding":"6.3"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/3b173b4ad9c001a555f44adc7836d6fe3afbe9ec"},{"url":"https://git.kernel.org/stable/c/423a1297ea72bbddf64dbb0957f2879c0f2aa5d0"},{"url":"https://git.kernel.org/stable/c/0ca2efea4f11c6255061e852ac188264c469c197"},{"url":"https://git.kernel.org/stable/c/a0f0ce1c8ab9fe90618dc394e3d1568b5a9ac154"},{"url":"https://git.kernel.org/stable/c/ecb980dc79709c02f579a9c03cb92ccec189ab38"},{"url":"https://git.kernel.org/stable/c/c02f733024d70105f22de8dd0a1252a0350cd516"},{"url":"https://git.kernel.org/stable/c/660145d708be52f946a82e5b633c020f58f996de"}],"title":"wifi: brcmfmac: ensure CLM version is null-terminated to prevent stack-out-of-bounds","x_generator":{"engine":"bippy-1.2.0"}}}}