CVE-2023-53761
- Source
- https://cve.org/CVERecord?id=CVE-2023-53761
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53761.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2023-53761
- Downstream
- Related
- Published
- 2025-12-08T01:19:22.571Z
- Modified
- 2026-03-20T12:33:20.054646Z
- Summary
- USB: usbtmc: Fix direction for 0-length ioctl control messages
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
USB: usbtmc: Fix direction for 0-length ioctl control messages
The syzbot fuzzer found a problem in the usbtmc driver: When a user submits an ioctl for a 0-length control transfer, the driver does not check that the direction is set to OUT:
------------[ cut here ]------------ usb 3-1: BOGUS control dir, pipe 80000b80 doesn't match bRequestType fd WARNING: CPU: 0 PID: 5100 at drivers/usb/core/urb.c:411 usbsubmiturb+0x14a7/0x1880 drivers/usb/core/urb.c:411 Modules linked in: CPU: 0 PID: 5100 Comm: syz-executor428 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 RIP: 0010:usbsubmiturb+0x14a7/0x1880 drivers/usb/core/urb.c:411 Code: 7c 24 40 e8 1b 13 5c fb 48 8b 7c 24 40 e8 21 1d f0 fe 45 89 e8 44 89 f1 4c 89 e2 48 89 c6 48 c7 c7 e0 b5 fc 8a e8 19 c8 23 fb <0f> 0b e9 9f ee ff ff e8 ed 12 5c fb 0f b6 1d 12 8a 3c 08 31 ff 41 RSP: 0018:ffffc90003d2fb00 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff8880789e9058 RCX: 0000000000000000 RDX: ffff888029593b80 RSI: ffffffff814c1447 RDI: 0000000000000001 RBP: ffff88801ea742f8 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: ffff88802915e528 R13: 00000000000000fd R14: 0000000080000b80 R15: ffff8880222b3100 FS: 0000555556ca63c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f9ef4d18150 CR3: 0000000073e5b000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> usbstartwaiturb+0x101/0x4b0 drivers/usb/core/message.c:58 usbinternalcontrolmsg drivers/usb/core/message.c:102 [inline] usbcontrolmsg+0x320/0x4a0 drivers/usb/core/message.c:153 usbtmcioctlrequest drivers/usb/class/usbtmc.c:1954 [inline] usbtmc_ioctl+0x1b3d/0x2840 drivers/usb/class/usbtmc.c:2097
To fix this, we must override the direction in the bRequestType field of the control request structure when the length is 0.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53761.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/stable/c/0ced12bdf624d8d8977ddb16eb130cd479d92bcf
- https://git.kernel.org/stable/c/3b43d9df27a708f4079d518b879f517fea150a91
- https://git.kernel.org/stable/c/50775a046c68e1d157d5e413cae2e5e00da1c463
- https://git.kernel.org/stable/c/6340e432cf70bf156b19c6f5dd737d940eca02a3
- https://git.kernel.org/stable/c/7cef7681aa7719ff585dd06113a061ab2def7da0
- https://git.kernel.org/stable/c/94d25e9128988c6a1fc9070f6e98215a95795bd8
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53761.json
- https://nvd.nist.gov/vuln/detail/CVE-2023-53761
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced658f24f4523e41cda6a389c38b763f4c0cad6fbcFixed7cef7681aa7719ff585dd06113a061ab2def7da0Fixed6340e432cf70bf156b19c6f5dd737d940eca02a3Fixed3b43d9df27a708f4079d518b879f517fea150a91Fixed0ced12bdf624d8d8977ddb16eb130cd479d92bcfFixed50775a046c68e1d157d5e413cae2e5e00da1c463Fixed94d25e9128988c6a1fc9070f6e98215a95795bd8