Linux Kernel up to 6.3.3 iwl_write_to_user_buf integer overflow

Summaryinfo

A vulnerability, which was classified as critical, has been found in Linux Kernel up to 5.4.243/5.10.180/5.15.112/6.1.29/6.3.3. This affects the function iwl_write_to_user_buf. Performing a manipulation results in integer overflow. This vulnerability is known as CVE-2023-53524. No exploit is available. It is advisable to upgrade the affected component.

Detailsinfo

A vulnerability classified as critical has been found in Linux Kernel up to 5.4.243/5.10.180/5.15.112/6.1.29/6.3.3. This affects the function iwl_write_to_user_buf. The manipulation with an unknown input leads to a integer overflow vulnerability. CWE is classifying the issue as CWE-190. The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control. The impact remains unknown. The summary by CVE is:

In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: pcie: Fix integer overflow in iwl_write_to_user_buf An integer overflow occurs in the iwl_write_to_user_buf() function, which is called by the iwl_dbgfs_monitor_data_read() function. static bool iwl_write_to_user_buf(char __user *user_buf, ssize_t count, void *buf, ssize_t *size, ssize_t *bytes_copied) { int buf_size_left = count - *bytes_copied; buf_size_left = buf_size_left - (buf_size_left % sizeof(u32)); if (*size > buf_size_left) *size = buf_size_left; If the user passes a SIZE_MAX value to the "ssize_t count" parameter, the ssize_t count parameter is assigned to "int buf_size_left". Then compare "*size" with "buf_size_left" . Here, "buf_size_left" is a negative number, so "*size" is assigned "buf_size_left" and goes into the third argument of the copy_to_user function, causing a heap overflow. This is not a security vulnerability because iwl_dbgfs_monitor_data_read() is a debugfs operation with 0400 privileges.

The advisory is shared at git.kernel.org. This vulnerability is uniquely identified as CVE-2023-53524 since 10/01/2025. Technical details are known, but no exploit is available. The price for an exploit might be around USD $0-$5k at the moment (estimation calculated on 01/27/2026).

Upgrading to version 5.4.244, 5.10.181, 5.15.113, 6.1.30 or 6.3.4 eliminates this vulnerability. Applying the patch 0ad8dd870aa187d0c21d032bb2c6433559075eec/059e426d666a41e26b184c177c1ca3ee2d6fa1b6/82f877ec9b041edc4c7c509c605cc3393d837bf0/eb1ef44efac797b384d361a76e33f77027c29a14/de78456976026102babe66258c228691ca5677c0/58d1b717879bfeabe09b35e41ad667c79933eb2e is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the databases at EUVD (EUVD-2025-32738) and CERT Bund (WID-SEC-2025-2187). If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Affected

• Amazon Linux 2
• Red Hat Enterprise Linux
• SUSE Linux
• Oracle Linux
• Open Source Linux Kernel
• Dell Secure Connect Gateway

Productinfo

Type

• Operating System

Vendor

• Linux

Name

• Kernel

Version

• 5.4.243
• 5.10.180
• 5.15.112
• 6.1.0
• 6.1.1
• 6.1.2
• 6.1.3
• 6.1.4
• 6.1.5
• 6.1.6
• 6.1.7
• 6.1.8
• 6.1.9
• 6.1.10
• 6.1.11
• 6.1.12
• 6.1.13
• 6.1.14
• 6.1.15
• 6.1.16
• 6.1.17
• 6.1.18
• 6.1.19
• 6.1.20
• 6.1.21
• 6.1.22
• 6.1.23
• 6.1.24
• 6.1.25
• 6.1.26
• 6.1.27
• 6.1.28
• 6.1.29
• 6.3.0
• 6.3.1
• 6.3.2
• 6.3.3

License

• open-source

Website

• Vendor: https://www.kernel.org/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion