CVE-2023-53644 in Linux
Summary
by MITRE • 10/07/2025
In the Linux kernel, the following vulnerability has been resolved:
media: radio-shark: Add endpoint checks
The syzbot fuzzer was able to provoke a WARNING from the radio-shark2 driver:
------------[ cut here ]------------
usb 1-1: BOGUS urb xfer, pipe 1 != type 3 WARNING: CPU: 0 PID: 3271 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed2/0x1880 drivers/usb/core/urb.c:504 Modules linked in: CPU: 0 PID: 3271 Comm: kworker/0:3 Not tainted 6.1.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Workqueue: usb_hub_wq hub_event RIP: 0010:usb_submit_urb+0xed2/0x1880 drivers/usb/core/urb.c:504 Code: 7c 24 18 e8 00 36 ea fb 48 8b 7c 24 18 e8 36 1c 02 ff 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 a0 b6 90 8a e8 9a 29 b8 03 <0f> 0b e9 58 f8 ff ff e8 d2 35 ea fb 48 81 c5 c0 05 00 00 e9 84 f7 RSP: 0018:ffffc90003876dd0 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000 RDX: ffff8880750b0040 RSI: ffffffff816152b8 RDI: fffff5200070edac RBP: ffff8880172d81e0 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000080000000 R11: 0000000000000000 R12: 0000000000000001 R13: ffff8880285c5040 R14: 0000000000000002 R15: ffff888017158200 FS: 0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffe03235b90 CR3: 000000000bc8e000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58 usb_bulk_msg+0x226/0x550 drivers/usb/core/message.c:387 shark_write_reg+0x1ff/0x2e0 drivers/media/radio/radio-shark2.c:88 ...
The problem was caused by the fact that the driver does not check whether the endpoints it uses are actually present and have the appropriate types. This can be fixed by adding a simple check of these endpoints (and similarly for the radio-shark driver).
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/01/2026
The vulnerability identified as CVE-2023-53644 resides within the Linux kernel's media subsystem, specifically affecting the radio-shark2 USB driver implementation. This issue represents a critical endpoint validation flaw that can lead to system instability and potential security implications. The vulnerability was discovered through automated fuzzing conducted by the syzbot fuzzer, which systematically tested kernel drivers for potential weaknesses. The warning message "BOGUS urb xfer, pipe 1 != type 3" indicates a fundamental mismatch between expected USB transfer types and actual endpoint configurations, suggesting that the driver is attempting to submit USB requests to endpoints that are either absent or improperly configured.
The technical root cause of this vulnerability stems from inadequate endpoint validation within the radio-shark2 driver implementation. When the driver attempts to submit USB requests without verifying that the target endpoints exist and possess the correct types, it can trigger kernel warnings and potentially lead to system crashes or unexpected behavior. The kernel's USB core subsystem detects this inconsistency through its internal validation mechanisms, specifically in the usb_submit_urb function located at drivers/usb/core/urb.c line 504. This validation failure occurs because the driver assumes endpoint availability and correct types without performing proper checks, creating a scenario where invalid USB requests can be submitted to the kernel's USB subsystem.
The operational impact of this vulnerability extends beyond simple system warnings to potentially compromise system stability and integrity. When the radio-shark2 driver fails to validate endpoint configurations, it can cause kernel panic conditions or system hangs, particularly in embedded systems or devices that rely on USB radio interfaces. The vulnerability affects systems running Linux kernel versions where the radio-shark2 driver is active, potentially impacting devices such as USB radio receivers or audio equipment that utilize this specific driver implementation. This type of vulnerability falls under CWE-20: Improper Input Validation, as the driver fails to properly validate the existence and type of USB endpoints before attempting to use them. The ATT&CK framework would categorize this as a privilege escalation vector through kernel exploitation, as improper validation can be leveraged to gain unauthorized system access or cause denial of service conditions.
The fix for this vulnerability involves implementing proper endpoint validation checks within the radio-shark2 driver, similar to the approach already implemented in the radio-shark driver. This requires adding verification logic that ensures endpoints exist and have the appropriate types before attempting to submit USB requests through them. The solution must validate endpoint descriptors during driver initialization or when endpoints are accessed, ensuring that the driver only operates on valid USB endpoint configurations. This approach aligns with security best practices for kernel driver development, where all external inputs and hardware configurations must be validated before use. The fix demonstrates the importance of defensive programming in kernel space, where drivers must never assume hardware configurations are correct or properly initialized. The validation should check endpoint types against expected transfer types, verify endpoint addresses are valid, and ensure that required endpoints are actually present on the USB device. This vulnerability highlights the critical need for comprehensive hardware validation in kernel drivers, particularly for USB-based devices where endpoint configurations can vary significantly between different hardware implementations. The mitigation strategy requires careful review and implementation of similar validation checks across all USB drivers that access endpoint information, ensuring consistent security practices throughout the kernel's USB subsystem.