CVE-2023-53392

HIGH
2025-09-18 416baaa9-dc9f-4396-8d5f-8c081fb06d67
7.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
Patch Released
Mar 17, 2026 - 20:45 nvd
Patch available
CVE Published
Sep 18, 2025 - 14:15 nvd
HIGH 7.1

Tags

Linux Denial Of Service Null Pointer Dereference Linux Kernel Redhat Suse

Description

In the Linux kernel, the following vulnerability has been resolved: HID: intel-ish-hid: Fix kernel panic during warm reset During warm reset device->fw_client is set to NULL. If a bus driver is registered after this NULL setting and before new firmware clients are enumerated by ISHTP, kernel panic will result in the function ishtp_cl_bus_match(). This is because of reference to device->fw_client->props.protocol_name. ISH firmware after getting successfully loaded, sends a warm reset notification to remove all clients from the bus and sets device->fw_client to NULL. Until kernel v5.15, all enabled ISHTP kernel module drivers were loaded right after any of the first ISHTP device was registered, regardless of whether it was a matched or an unmatched device. This resulted in all drivers getting registered much before the warm reset notification from ISH. Starting kernel v5.16, this issue got exposed after the change was introduced to load only bus drivers for the respective matching devices. In this scenario, cros_ec_ishtp device and cros_ec_ishtp driver are registered after the warm reset device fw_client NULL setting. cros_ec_ishtp driver_register() triggers the callback to ishtp_cl_bus_match() to match ISHTP driver to the device and causes kernel panic in guid_equal() when dereferencing fw_client NULL pointer to get protocol_name.

Analysis

A null pointer dereference vulnerability in the Linux kernel's Intel ISH-HID driver causes a kernel panic during warm reset operations when a bus driver is registered after firmware client enumeration. The issue affects Linux kernel versions 5.16 through 6.3-rc1 and allows a local attacker with low privileges to trigger a denial of service or potentially access sensitive information (CVSS 7.1). The vulnerability has a very low EPSS score of 0.01% indicating minimal observed exploitation activity in the wild, and patches are available from the vendor.

Technical Context

This vulnerability affects the Intel Integrated Sensor Hub (ISH) Human Interface Device (HID) driver in the Linux kernel. The ISH framework uses the ISHTP (ISH Transport Protocol) bus to manage communication between the kernel and ISH firmware clients. During a warm reset, the ISH firmware sends a notification that sets device->fw_client to NULL to clear all clients from the bus. A race condition was introduced in kernel version 5.16 when the driver loading mechanism changed from loading all ISHTP drivers at boot to loading only matching drivers on-demand. If a bus driver like cros_ec_ishtp registers after the NULL assignment but before new firmware clients are enumerated, the ishtp_cl_bus_match() function attempts to dereference the NULL fw_client pointer to access protocol_name in guid_equal(), resulting in a kernel panic. This is a classic null pointer dereference vulnerability affecting the driver matching logic during device enumeration.

Affected Products

The Linux kernel versions from 5.16 through 6.3-rc1 are affected by this vulnerability. Specifically impacted versions include kernel 5.16 base release and release candidates rc3 through rc8, as well as kernel 6.3-rc1, as confirmed by CPE entries cpe:2.3:o:linux:linux_kernel:5.16 and cpe:2.3:o:linux:linux_kernel:6.3:rc1. The vulnerability is present in systems utilizing Intel Integrated Sensor Hub hardware with the intel-ish-hid driver enabled, particularly affecting ChromeOS devices using the cros_ec_ishtp driver. Linux distributions shipping affected kernel versions within this range should be considered vulnerable.

Remediation

Apply the available kernel patches immediately by upgrading to a patched kernel version containing the fixes referenced at https://git.kernel.org/stable/c/38518593ec55e897abda4b4be77b2ec8ec4447d1, https://git.kernel.org/stable/c/45b9055a3a3ff6e8c08faad82ea36a8644a81587, or https://git.kernel.org/stable/c/6c8cc40c588f8080a164d88336b1490279e0f1da. For systems running affected kernel versions 5.16 through 6.3-rc1, upgrade to the latest stable kernel version from your Linux distribution that incorporates these patches. As a temporary workaround until patching is feasible, consider disabling the intel-ish-hid or cros_ec_ishtp kernel modules if the Intel ISH functionality is not required for system operation, though this may impact sensor hub and ChromeOS EC functionality on affected hardware. Check with your distribution vendor for specific patch availability and update procedures.

Priority Score

36
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +36
POC: 0

Vendor Status

Share

CVE-2023-53392 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy