CVE-2023-52980
Published: 27 March 2025
Summary
CVE-2023-52980 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 18.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Applying vendor patches extends the queue_size field to unsigned int, directly remediating the integer overflow in the ublk driver that leads to out-of-bounds memory access.
Kernel memory protections like address space layout randomization and supervisor mode execution prevention mitigate exploitation of the out-of-bounds memory access triggered by the queue_size overflow.
Validating queue depth inputs to the ublk driver restricts values exceeding safe limits (e.g., 2728), preventing the integer overflow in queue_size calculation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel integer overflow in ublk driver enables out-of-bounds memory access for arbitrary code execution or privilege escalation from low-privileged user context.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: block: ublk: extending queue_size to fix overflow When validating drafted SPDK ublk target, in a case that assigning large queue depth to multiqueue ublk device, ublk target would run into…
more
a weird incorrect state. During rounds of review and debug, An overflow bug was found in ublk driver. In ublk_cmd.h, UBLK_MAX_QUEUE_DEPTH is 4096 which means each ublk queue depth can be set as large as 4096. But when setting qd for a ublk device, sizeof(struct ublk_queue) + depth * sizeof(struct ublk_io) will be larger than 65535 if qd is larger than 2728. Then queue_size is overflowed, and ublk_get_queue() references a wrong pointer position. The wrong content of ublk_queue elements will lead to out-of-bounds memory access. Extend queue_size in ublk_device as "unsigned int".
Deeper analysisAI
CVE-2023-52980 is an integer overflow vulnerability in the Linux kernel's block layer, specifically within the ublk (user block) driver. The issue arises when configuring a multiqueue ublk device with a large queue depth exceeding 2728, up to the maximum of 4096 defined by UBLK_MAX_QUEUE_DEPTH in ublk_cmd.h. The queue_size calculation, sizeof(struct ublk_queue) + depth * sizeof(struct ublk_io), exceeds 65535 and overflows, likely due to an underlying 16-bit type limit. This results in ublk_get_queue() accessing an incorrect pointer position, leading to out-of-bounds memory access classified under CWE-787.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity and no user interaction required (AV:L/AC:L/UI:N). Successful exploitation grants high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with a CVSS v3.1 base score of 7.8 in an unchanged scope (S:U). The attacker could potentially read or write arbitrary memory, execute arbitrary code, or cause system crashes by triggering the overflow during ublk device queue depth assignment.
Kernel patches addressing this issue are available in stable branches, as documented in the referenced commits. The fix extends the queue_size field in struct ublk_device from its original type to unsigned int, preventing the overflow and ensuring correct queue allocation. Security practitioners should update affected Linux kernels with these patches to mitigate the vulnerability.
Details
- CWE(s)