How to fix CVE-2023-53059?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Vendor patch is available.

Is Linux Kernel affected by CVE-2023-53059?

CVE-2023-53059 presents moderate security risk rated CVSS 7.1. Exploitation could compromise the security of affected deployments. A patch is available and should be applied as part of regular vulnerability management.

CVE-2023-53059

HIGH

2025-05-02 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Linux Information Disclosure Linux Kernel Redhat Suse

7.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 17, 2026 - 20:45 vuln.today

Patch Released

Mar 17, 2026 - 20:45 nvd

Patch available

CVE Published

May 02, 2025 - 16:15 nvd

HIGH 7.1

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

platform/chrome: cros_ec_chardev: fix kernel data leak from ioctl

It is possible to peep kernel page's data by providing larger insize in struct cros_ec_command[1] when invoking EC host commands.

Fix it by using zeroed memory.

[1]: https://elixir.bootlin.com/linux/v6.2/source/include/linux/platform_data/cros_ec_proto.h#L74

AnalysisAI

A kernel memory disclosure vulnerability exists in the Linux kernel's Chrome OS Embedded Controller (cros_ec) character device driver, allowing a local attacker with low privileges to read sensitive kernel memory contents. By supplying a manipulated 'insize' parameter in the cros_ec_command structure during ioctl calls, an attacker can leak arbitrary kernel page data. With a CVSS score of 7.1 (High severity) and EPSS score of 0.06% (20th percentile), this represents a moderate real-world exploitation risk requiring local access, and patches are available from the vendor.

Technical ContextAI

The vulnerability affects the platform/chrome/cros_ec_chardev driver in the Linux kernel, specifically the ioctl interface used for communicating with Chrome OS Embedded Controllers. According to the CPE data, affected versions include various Linux kernel releases up to and including 6.3-rc3. The root cause is an information disclosure weakness where the driver fails to zero-initialize memory buffers before copying data to userspace. When processing EC host commands through the cros_ec_command structure (defined in include/linux/platform_data/cros_ec_proto.h), a malicious local user can specify an artificially large 'insize' parameter that causes the kernel to return uninitialized kernel memory contents, potentially exposing sensitive data such as cryptographic keys, passwords, or other privileged information residing in adjacent kernel pages.

RemediationAI

Update the Linux kernel to a patched version that includes the fix for CVE-2023-53059. The vulnerability is resolved in commits available at https://git.kernel.org/stable/c/13493ad6a220cb3f6f3552a16b4f2753a118b633 (and related commits listed in references) which implement proper memory zeroing in the cros_ec_chardev driver. For distributions using long-term support kernels, apply the appropriate backported patch provided by your Linux distribution vendor. Systems not using Chrome OS EC hardware or without the cros_ec_chardev module loaded are not affected, but upgrading is still recommended as part of regular security maintenance. Until patching is possible, consider restricting access to the /dev/cros_ec device node through filesystem permissions or AppArmor/SELinux policies to trusted users only, though this is only a partial mitigation as any local user with existing access could exploit the vulnerability.

Vendor StatusVendor

CVE-2023-53059 vulnerability details – vuln.today

Back