{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2023-53641","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-10-07T15:16:59.658Z","datePublished":"2025-10-07T15:19:41.028Z","dateUpdated":"2026-05-11T19:49:05.188Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:49:05.188Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: hif_usb: fix memory leak of remain_skbs\n\nhif_dev->remain_skb is allocated and used exclusively in\nath9k_hif_usb_rx_stream(). It is implied that an allocated remain_skb is\nprocessed and subsequently freed (in error paths) only during the next\ncall of ath9k_hif_usb_rx_stream().\n\nSo, if the urbs are deallocated between those two calls due to the device\ndeinitialization or suspend, it is possible that ath9k_hif_usb_rx_stream()\nis not called next time and the allocated remain_skb is leaked. Our local\nSyzkaller instance was able to trigger that.\n\nremain_skb makes sense when receiving two consecutive urbs which are\nlogically linked together, i.e. a specific data field from the first skb\nindicates a cached skb to be allocated, memcpy'd with some data and\nsubsequently processed in the next call to ath9k_hif_usb_rx_stream(). Urbs\ndeallocation supposedly makes that link irrelevant so we need to free the\ncached skb in those cases.\n\nFix the leak by introducing a function to explicitly free remain_skb (if\nit is not NULL) when the rx urbs have been deallocated. remain_skb is NULL\nwhen it has not been allocated at all (hif_dev struct is kzalloced) or\nwhen it has been processed in next call to ath9k_hif_usb_rx_stream().\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/wireless/ath/ath9k/hif_usb.c"],"versions":[{"version":"fb9987d0f748c983bb795a86f47522313f701a08","lessThan":"6719e3797ec52cd144c8a5ba8aaab36674800585","status":"affected","versionType":"git"},{"version":"fb9987d0f748c983bb795a86f47522313f701a08","lessThan":"d9899318660791141ea6002fda5577b2c5d7386e","status":"affected","versionType":"git"},{"version":"fb9987d0f748c983bb795a86f47522313f701a08","lessThan":"320d760a35273aa815d58b57e4fd9ba5279a3489","status":"affected","versionType":"git"},{"version":"fb9987d0f748c983bb795a86f47522313f701a08","lessThan":"59073060fe0950c6ecbe12bdc06469dcac62128d","status":"affected","versionType":"git"},{"version":"fb9987d0f748c983bb795a86f47522313f701a08","lessThan":"9b9356a3014123f0ce4b50d9278c1265173150ab","status":"affected","versionType":"git"},{"version":"fb9987d0f748c983bb795a86f47522313f701a08","lessThan":"f0931fc8f4b6847c72e170d2326861c0a081d680","status":"affected","versionType":"git"},{"version":"fb9987d0f748c983bb795a86f47522313f701a08","lessThan":"8f02d538878c9b1501f624595eb22ee4e5e0ff84","status":"affected","versionType":"git"},{"version":"fb9987d0f748c983bb795a86f47522313f701a08","lessThan":"7654cc03eb699297130b693ec34e25f77b17c947","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/wireless/ath/ath9k/hif_usb.c"],"versions":[{"version":"2.6.35","status":"affected"},{"version":"0","lessThan":"2.6.35","status":"unaffected","versionType":"semver"},{"version":"4.19.283","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.243","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.180","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.111","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.28","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.2.15","lessThanOrEqual":"6.2.*","status":"unaffected","versionType":"semver"},{"version":"6.3.2","lessThanOrEqual":"6.3.*","status":"unaffected","versionType":"semver"},{"version":"6.4","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.35","versionEndExcluding":"4.19.283"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.35","versionEndExcluding":"5.4.243"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.35","versionEndExcluding":"5.10.180"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.35","versionEndExcluding":"5.15.111"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.35","versionEndExcluding":"6.1.28"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.35","versionEndExcluding":"6.2.15"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.35","versionEndExcluding":"6.3.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.35","versionEndExcluding":"6.4"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/6719e3797ec52cd144c8a5ba8aaab36674800585"},{"url":"https://git.kernel.org/stable/c/d9899318660791141ea6002fda5577b2c5d7386e"},{"url":"https://git.kernel.org/stable/c/320d760a35273aa815d58b57e4fd9ba5279a3489"},{"url":"https://git.kernel.org/stable/c/59073060fe0950c6ecbe12bdc06469dcac62128d"},{"url":"https://git.kernel.org/stable/c/9b9356a3014123f0ce4b50d9278c1265173150ab"},{"url":"https://git.kernel.org/stable/c/f0931fc8f4b6847c72e170d2326861c0a081d680"},{"url":"https://git.kernel.org/stable/c/8f02d538878c9b1501f624595eb22ee4e5e0ff84"},{"url":"https://git.kernel.org/stable/c/7654cc03eb699297130b693ec34e25f77b17c947"}],"title":"wifi: ath9k: hif_usb: fix memory leak of remain_skbs","x_generator":{"engine":"bippy-1.2.0"}}}}