What is CVE-2023-54036?

CVE-2023-54036 is a unscored severity Linux kernel vulnerability, affecting Linux kernel versions from 5.5 onward and patched in 5.10.173, 5.15.99, 6.1.16 and others. CVE-2023-54036 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2023-54036?

CVE-2023-54036 has a CVSS score of pending NVD analysis out of 10, rated awaiting scoring severity.

Is there a patch available for CVE-2023-54036?

Yes, CVE-2023-54036 has been patched. Fixed versions include 5.10.173, 5.15.99, 6.1.16 and others. If you are running Linux kernel 5.5 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2023-54036 actively exploited?

CVE-2023-54036 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2023-54036

In the Linux kernel, the following vulnerability has been resolved: wifi: rtl8xxxu: Fix memory leaks with RTL8723BU, RTL8192EU The wifi + bluetooth combo chip RTL8723BU can leak memory (especially?) when it's connected to a bluetooth audio device. The busy bluetooth traffic generates lots of C2H (card to host) messages, which are not freed correctly. To fix this, move the dev_kfree_skb() call in rtl8xxxu_c2hcmd_callback() inside the loop where skb_dequeue() is called. The RTL8192EU leaks memory because the C2H messages are added to the queue and left there forever. (This was fine in the past because it probably wasn't sending any C2H messages until commit e542e66b7c2e ("wifi: rtl8xxxu: gen2: Turn on the rate control"). Since that commit it sends a C2H message when the TX rate changes.) To fix this, delete the check for rf_paths > 1 and the goto. Let the function process the C2H messages from RTL8192EU like the ones from the other chips. Theoretically the RTL8188FU could also leak like RTL8723BU, but it most likely doesn't send C2H messages frequently enough. This change was tested with RTL8723BU by Erhard F. I tested it with RTL8188FU and RTL8192EU.

Package Linux Kernel

Published 2025-12-24

Last modified 2026-04-15

Patch available

Yes

Affected versions

Linux kernel versions 5.5 and later are affected. Fixed in 5.10.173, 5.15.99, 6.1.16, 6.2.3, 6.3 and their respective stable series.

Affected from

≥ 5.5

Fixed in

✓ 5.10.173 5.10.x ✓ 5.15.99 5.15.x ✓ 6.1.16 6.1.x ✓ 6.2.3 6.2.x ✓ 6.3

References

The following references provide additional information about CVE-2023-54036 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/35fb0e275af1aa1ca0a9784417e90f988aaf8e78
Patch
Kernel patch commit
https://git.kernel.org/stable/c/430f9f9bec53a75f9ccc53e156a66f13fc098b83
Patch
Kernel patch commit
https://git.kernel.org/stable/c/93c3f34ec02fc81188d328287d4fddd498ccddea
Patch

5 patch commits total View all on NVD

Frequently asked questions

What is CVE-2023-54036?

CVE-2023-54036 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 5.5 onward and has been patched in 5.10.173, 5.15.99, 6.1.16 and others. CVE-2023-54036 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
Is there a patch available for CVE-2023-54036?

Yes — CVE-2023-54036 has been patched. Fixed versions include 5.10.173, 5.15.99, 6.1.16 and others. If you are running Linux kernel 5.5 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2023-54036 actively exploited?

No — CVE-2023-54036 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.