Linux Kernel up to 6.4.9 mt8183 memory corruption

Summaryinfo

A vulnerability was found in Linux Kernel up to 6.4.9. It has been rated as critical. This affects an unknown part of the component mt8183. The manipulation leads to memory corruption. This vulnerability is traded as CVE-2023-53274. There is no exploit available. Upgrading the affected component is advised.

Detailsinfo

A vulnerability was found in Linux Kernel up to 6.4.9. It has been rated as critical. This issue affects an unknown function of the component mt8183. The manipulation with an unknown input leads to a memory corruption vulnerability. Using CWE to declare the problem leads to CWE-119. The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

In the Linux kernel, the following vulnerability has been resolved: clk: mediatek: mt8183: Add back SSPM related clocks This reverts commit 860690a93ef23b567f781c1b631623e27190f101. On the MT8183, the SSPM related clocks were removed claiming a lack of usage. This however causes some issues when the driver was converted to the new simple-probe mechanism. This mechanism allocates enough space for all the clocks defined in the clock driver, not the highest index in the DT binding. This leads to out-of-bound writes if their are holes in the DT binding or the driver (due to deprecated or unimplemented clocks). These errors can go unnoticed and cause memory corruption, leading to crashes in unrelated areas, or nothing at all. KASAN will detect them. Add the SSPM related clocks back to the MT8183 clock driver to fully implement the DT binding. The SSPM clocks are for the power management co-processor, and should never be turned off. They are marked as such.

It is possible to read the advisory at git.kernel.org. The identification of this vulnerability is CVE-2023-53274 since 09/16/2025. The exploitation is known to be easy. The technical details are unknown and an exploit is not publicly available. The pricing for an exploit might be around USD $0-$5k at the moment (estimation calculated on 01/11/2026).

The vulnerability scanner Nessus provides a plugin with the ID 265655 (Linux Distros Unpatched Vulnerability : CVE-2023-53274), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 6.4.10 eliminates this vulnerability. Applying the patch 45d69917a4af6c869193f95932dc6d6f15d5ef86/1eb8d61ac5c9c7ec56bb96d433532807509b9288 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the databases at Tenable (265655) and CERT Bund (WID-SEC-2025-2053). Be aware that VulDB is the high quality source for vulnerability data.

Affected

• Debian Linux
• Amazon Linux 2
• Red Hat Enterprise Linux
• Ubuntu Linux
• SUSE Linux
• Oracle Linux
• IBM QRadar SIEM
• SUSE openSUSE
• Open Source Linux Kernel
• RESF Rocky Linux
• Dell Secure Connect Gateway
• F5 F5OS

Productinfo

Type

• Operating System

Vendor

• Linux

Name

• Kernel

Version

• 6.4.0
• 6.4.1
• 6.4.2
• 6.4.3
• 6.4.4
• 6.4.5
• 6.4.6
• 6.4.7
• 6.4.8
• 6.4.9

License

• open-source

Website

• Vendor: https://www.kernel.org/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Be aware that VulDB is the high quality source for vulnerability data.

Discussion