CVE-2023-53019
Published: 27 March 2025
Summary
CVE-2023-53019 is a high-severity Improper Validation of Array Index (CWE-129) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 11.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely remediation of the known flaw through kernel patching to add addr parameter validation.
Addresses the root cause by enforcing validation of information inputs such as the addr parameter prior to array access in the MDIO subsystem.
Provides memory safeguards like address space layout randomization that limit the impact of out-of-bounds access exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The kernel memory corruption vulnerability (out-of-bounds array access) directly enables local privilege escalation by allowing a low-privileged attacker to achieve arbitrary code execution or system compromise.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: net: mdio: validate parameter addr in mdiobus_get_phy() The caller may pass any value as addr, what may result in an out-of-bounds access to array mdio_map. One existing case is stmmac_init_phy()…
more
that may pass -1 as addr. Therefore validate addr before using it.
Deeper analysisAI
CVE-2023-53019 is a vulnerability in the Linux kernel's MDIO subsystem, specifically in the mdiobus_get_phy() function, where the addr parameter is not properly validated. This can lead to an out-of-bounds access in the mdio_map array, as callers like stmmac_init_phy() may pass invalid values such as -1. The issue is classified under CWE-129 (Improper Validation of Array Index) with a CVSS v3.1 base score of 7.8.
A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of user interaction requirements (AV:L/AC:L/PR:L/UI:N/S:U). Successful exploitation could result in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), potentially allowing arbitrary code execution, data corruption, or system crashes through the out-of-bounds memory access.
Mitigation involves applying the upstream patches referenced in the stable kernel commit logs, such as those at https://git.kernel.org/stable/c/1d80c259dfbadefa61b7ea334dfce5cb57f8c72f and similar backports, which add validation of the addr parameter before accessing the mdio_map array. Security practitioners should update affected Linux kernels to incorporate these fixes.
Details
- CWE(s)