What is CVE-2023-53148?

CVE-2023-53148 is a High severity Linux kernel vulnerability with a CVSS score of 7.8 out of 10, affecting Linux kernel versions from 2.6.25 onward and patched in 4.14.322, 4.19.291, 5.4.251 and others. CVE-2023-53148 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2023-53148?

CVE-2023-53148 has a CVSS score of 7.8 out of 10, rated High severity. The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Is there a patch available for CVE-2023-53148?

Yes, CVE-2023-53148 has been patched. Fixed versions include 4.14.322, 4.19.291, 5.4.251 and others. If you are running Linux kernel 2.6.25 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2023-53148 actively exploited?

CVE-2023-53148 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2023-53148

High

In the Linux kernel, the following vulnerability has been resolved: igb: Fix igb_down hung on surprise removal In a setup where a Thunderbolt hub connects to Ethernet and a display through USB Type-C, users may experience a hung task timeout when they remove the cable between the PC and the Thunderbolt hub. This is because the igb_down function is called multiple times when the Thunderbolt hub is unplugged. For example, the igb_io_error_detected triggers the first call, and the igb_remove triggers the second call. The second call to igb_down will block at napi_synchronize. Here's the call trace: __schedule+0x3b0/0xddb ? __mod_timer+0x164/0x5d3 schedule+0x44/0xa8 schedule_timeout+0xb2/0x2a4 ? run_local_timers+0x4e/0x4e msleep+0x31/0x38 igb_down+0x12c/0x22a [igb 6615058754948bfde0bf01429257eb59f13030d4] __igb_close+0x6f/0x9c [igb 6615058754948bfde0bf01429257eb59f13030d4] igb_close+0x23/0x2b [igb 6615058754948bfde0bf01429257eb59f13030d4] __dev_close_many+0x95/0xec dev_close_many+0x6e/0x103 unregister_netdevice_many+0x105/0x5b1 unregister_netdevice_queue+0xc2/0x10d unregister_netdev+0x1c/0x23 igb_remove+0xa7/0x11c [igb 6615058754948bfde0bf01429257eb59f13030d4] pci_device_remove+0x3f/0x9c device_release_driver_internal+0xfe/0x1b4 pci_stop_bus_device+0x5b/0x7f pci_stop_bus_device+0x30/0x7f pci_stop_bus_device+0x30/0x7f pci_stop_and_remove_bus_device+0x12/0x19 pciehp_unconfigure_device+0x76/0xe9 pciehp_disable_slot+0x6e/0x131 pciehp_handle_presence_or_link_change+0x7a/0x3f7 pciehp_ist+0xbe/0x194 irq_thread_fn+0x22/0x4d ? irq_thread+0x1fd/0x1fd irq_thread+0x17b/0x1fd ? irq_forced_thread_fn+0x5f/0x5f kthread+0x142/0x153 ? __irq_get_irqchip_state+0x46/0x46 ? kthread_associate_blkcg+0x71/0x71 ret_from_fork+0x1f/0x30 In this case, igb_io_error_detected detaches the network interface and requests a PCIE slot reset, however, the PCIE reset callback is not being invoked and thus the Ethernet connection breaks down. As the PCIE error in this case is a non-fatal one, requesting a slot reset can be avoided. This patch fixes the task hung issue and preserves Ethernet connection by ignoring non-fatal PCIE errors.

Package Linux Kernel

Published 2025-09-15

Last modified 2025-11-25

CVSS version 3.1

Patch available

Yes

CVSS 3.1 score

7.8

out of 10

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Vector string

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Weakness type

CWE-415

CVE-2023-53148 is classified as CWE-415

See CWE-415 on MITRE CWE for full details on this weakness type.

Affected versions

Linux kernel versions 2.6.25 and later are affected. Fixed in 4.14.322, 4.19.291, 5.4.251, 5.10.188, 5.15.150, 6.1.42, 6.4.7, 6.5 and their respective stable series.

Affected from

≥ 2.6.25

Fixed in

✓ 4.14.322 4.14.x ✓ 4.19.291 4.19.x ✓ 5.4.251 5.4.x ✓ 5.10.188 5.10.x ✓ 5.15.150 5.15.x ✓ 6.1.42 6.1.x ✓ 6.4.7 6.4.x ✓ 6.5

References

The following references provide additional information about CVE-2023-53148 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/004d25060c78fc31f66da0fa439c544dda1ac9d5
Patch
Kernel patch commit
https://git.kernel.org/stable/c/124e39a734cb90658b8f0dc110847bbfc6e33792
Patch
Kernel patch commit
https://git.kernel.org/stable/c/39695e87d86f0e7d897fba1d2559f825aa20caeb
Patch

8 patch commits total View all on NVD

Details

CVE ID CVE-2023-53148

Severity High

CVSS score 7.8 / 10

CVSS version 3.1

Published 2025-09-15

Modified 2025-11-25

KEV No

Patch

Yes

Package linux

Frequently asked questions

What is CVE-2023-53148?

CVE-2023-53148 is a High severity Linux kernel vulnerability with a CVSS score of 7.8 out of 10 . It affects Linux kernel versions from 2.6.25 onward and has been patched in 4.14.322, 4.19.291, 5.4.251 and others. CVE-2023-53148 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
What is the CVSS score for CVE-2023-53148?

CVE-2023-53148 has a CVSS score of 7.8 out of 10, rated High severity (CVSS 3.1). The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
Is there a patch available for CVE-2023-53148?

Yes — CVE-2023-53148 has been patched. Fixed versions include 4.14.322, 4.19.291, 5.4.251 and others. If you are running Linux kernel 2.6.25 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2023-53148 actively exploited?

No — CVE-2023-53148 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.