CVE-2023-53599 in Linux
Summary
by MITRE • 10/04/2025
In the Linux kernel, the following vulnerability has been resolved:
crypto: af_alg - Fix missing initialisation affecting gcm-aes-s390
Fix af_alg_alloc_areq() to initialise areq->first_rsgl.sgl.sgt.sgl to point to the scatterlist array in areq->first_rsgl.sgl.sgl.
Without this, the gcm-aes-s390 driver will oops when it tries to do gcm_walk_start() on req->dst because req->dst is set to the value of areq->first_rsgl.sgl.sgl by _aead_recvmsg() calling aead_request_set_crypt().
The problem comes if an empty ciphertext is passed: the loop in af_alg_get_rsgl() just passes straight out and doesn't set areq->first_rsgl up.
This isn't a problem on x86_64 using gcmaes_crypt_by_sg() because, as far as I can tell, that ignores req->dst and only uses req->src[*].
[*] Is this a bug in aesni-intel_glue.c?
The s390x oops looks something like:
Unable to handle kernel pointer dereference in virtual kernel address space Failing address: 0000000a00000000 TEID: 0000000a00000803 Fault in home space mode while using kernel ASCE. AS:00000000a43a0007 R3:0000000000000024 Oops: 003b ilc:2 [#1] SMP
... Call Trace: [<000003ff7fc3d47e>] gcm_walk_start+0x16/0x28 [aes_s390]
[<00000000a2a342f2>] crypto_aead_decrypt+0x9a/0xb8
[<00000000a2a60888>] aead_recvmsg+0x478/0x698
[<00000000a2e519a0>] sock_recvmsg+0x70/0xb0
[<00000000a2e51a56>] sock_read_iter+0x76/0xa0
[<00000000a273e066>] vfs_read+0x26e/0x2a8
[<00000000a273e8c4>] ksys_read+0xbc/0x100
[<00000000a311d808>] __do_syscall+0x1d0/0x1f8
[<00000000a312ff30>] system_call+0x70/0x98
Last Breaking-Event-Address: [<000003ff7fc3e6b4>] gcm_aes_crypt+0x104/0xa68 [aes_s390]
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/28/2026
The vulnerability CVE-2023-53599 represents a critical initialization flaw within the Linux kernel's cryptographic subsystem, specifically affecting the af_alg framework and the gcm-aes-s390 driver implementation. This issue manifests as a kernel oops condition that occurs when processing empty ciphertext inputs through the authenticated encryption operations. The root cause lies in the improper initialization of the scatterlist structure within the af_alg_alloc_areq() function, where the areq->first_rsgl.sgl.sgt.sgl field fails to be properly set to point to the scatterlist array. This omission creates a null pointer dereference scenario when the gcm-aes-s390 driver attempts to execute gcm_walk_start() on the request destination buffer, as the driver relies on this properly initialized structure to perform its cryptographic operations.
The technical flaw stems from a conditional execution path in the af_alg_get_rsgl() function that bypasses the proper setup of the first_rsgl structure when handling empty ciphertext inputs. This behavior creates a state where the cryptographic request structure contains uninitialized memory references that subsequently cause kernel crashes when accessed by the s390x architecture-specific AES-GCM implementation. The vulnerability specifically impacts systems utilizing the s390x architecture with the gcm-aes-s390 driver, while x86_64 systems remain unaffected due to their different code path implementation that ignores the problematic req->dst field entirely. The inconsistency in behavior between architectures highlights a fundamental design flaw in the kernel's cryptographic abstraction layer where platform-specific implementations make assumptions about structure initialization that are not consistently enforced across all code paths.
The operational impact of this vulnerability extends beyond simple kernel crashes to potentially enable denial of service attacks against systems running affected kernel versions. An attacker could exploit this vulnerability by crafting specific cryptographic requests with empty ciphertext data, causing the kernel to panic and reboot the system. This represents a significant security concern for enterprise environments where system availability is critical, particularly in high-availability configurations or systems running cryptographic services. The vulnerability maps to CWE-476 which describes NULL pointer dereference conditions, and aligns with ATT&CK technique T1499.004 for network denial of service attacks. The attack surface is particularly concerning for cryptographic infrastructure components that handle authenticated encryption operations, as these are frequently used in secure communications and data protection scenarios.
Mitigation strategies for CVE-2023-53599 require immediate kernel updates to the patched versions that properly initialize the scatterlist structures within the af_alg framework. System administrators should prioritize applying the relevant security patches from their respective Linux distribution vendors, as the vulnerability cannot be effectively mitigated through configuration changes or workarounds. The fix implemented in the kernel addresses the root cause by ensuring that af_alg_alloc_areq() correctly initializes the areq->first_rsgl.sgl.sgt.sgl field to point to the scatterlist array, thereby preventing the subsequent null pointer dereference when the gcm-aes-s390 driver attempts to access this structure. Organizations should also implement monitoring for kernel oops events and system crashes related to cryptographic operations, as these may indicate exploitation attempts. Additionally, the vulnerability underscores the importance of thorough testing of cryptographic implementations across different hardware platforms and the need for consistent initialization practices throughout kernel subsystems to prevent similar issues from arising in the future.