{ "threat_severity" : "Low", "public_date" : "2025-12-30T00:00:00Z", "bugzilla" : { "description" : "kernel: tty: fix out-of-bounds access in tty_driver_lookup_tty()", "id" : "2426177", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2426177" }, "cvss3" : { "cvss3_base_score" : "3.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status" : "verified" }, "cwe" : "CWE-1285", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ntty: fix out-of-bounds access in tty_driver_lookup_tty()\nWhen specifying an invalid console= device like console=tty3270,\ntty_driver_lookup_tty() returns the tty struct without checking\nwhether index is a valid number.\nTo reproduce:\nqemu-system-x86_64 -enable-kvm -nographic -serial mon:stdio \\\n-kernel ../linux-build-x86/arch/x86/boot/bzImage \\\n-append \"console=ttyS0 console=tty3270\"\nThis crashes with:\n[ 0.770599] BUG: kernel NULL pointer dereference, address: 00000000000000ef\n[ 0.771265] #PF: supervisor read access in kernel mode\n[ 0.771773] #PF: error_code(0x0000) - not-present page\n[ 0.772609] Oops: 0000 [#1] PREEMPT SMP PTI\n[ 0.774878] RIP: 0010:tty_open+0x268/0x6f0\n[ 0.784013] chrdev_open+0xbd/0x230\n[ 0.784444] ? cdev_device_add+0x80/0x80\n[ 0.784920] do_dentry_open+0x1e0/0x410\n[ 0.785389] path_openat+0xca9/0x1050\n[ 0.785813] do_filp_open+0xaa/0x150\n[ 0.786240] file_open_name+0x133/0x1b0\n[ 0.786746] filp_open+0x27/0x50\n[ 0.787244] console_on_rootfs+0x14/0x4d\n[ 0.787800] kernel_init_freeable+0x1e4/0x20d\n[ 0.788383] ? rest_init+0xc0/0xc0\n[ 0.788881] kernel_init+0x11/0x120\n[ 0.789356] ret_from_fork+0x22/0x30", "An out-of-bounds access was found in the TTY subsystem. When an invalid console device is specified on the kernel command line (e.g., console=tty3270), the driver lookup returns a TTY struct with an invalid index, causing a crash during boot." ], "statement" : "This requires specifying an invalid console= parameter on the kernel command line. Only users with physical access or boot configuration access can trigger this. Normal system operation without such parameters is unaffected.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-11-12T00:00:00Z", "advisory" : "RHSA-2024:9315", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-503.11.1.el9_5" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-11-12T00:00:00Z", "advisory" : "RHSA-2024:9315", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-503.11.1.el9_5" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-54198\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-54198\nhttps://lore.kernel.org/linux-cve-announce/2025123029-CVE-2023-54198-1df4@gregkh/T" ], "name" : "CVE-2023-54198", "csaw" : false }