What is CVE-2023-54277?

CVE-2023-54277 is a unscored severity Linux kernel vulnerability, affecting Linux kernel versions from 5.4.192 onward and patched in 5.4.244, 5.10.181, 5.15.114 and others. CVE-2023-54277 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2023-54277?

CVE-2023-54277 has a CVSS score of pending NVD analysis out of 10, rated awaiting scoring severity.

Is there a patch available for CVE-2023-54277?

Yes, CVE-2023-54277 has been patched. Fixed versions include 5.4.244, 5.10.181, 5.15.114 and others. If you are running Linux kernel 5.4.192 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2023-54277 actively exploited?

CVE-2023-54277 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2023-54277

In the Linux kernel, the following vulnerability has been resolved: fbdev: udlfb: Fix endpoint check The syzbot fuzzer detected a problem in the udlfb driver, caused by an endpoint not having the expected type: usb 1-1: Read EDID byte 0 failed: -71 usb 1-1: Unable to get valid EDID from device/display ------------[ cut here ]------------ usb 1-1: BOGUS urb xfer, pipe 3 != type 1 WARNING: CPU: 0 PID: 9 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504 Modules linked in: CPU: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.4.0-rc1-syzkaller-00016-ga4422ff22142 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 Workqueue: usb_hub_wq hub_event RIP: 0010:usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504 ... Call Trace: <TASK> dlfb_submit_urb+0x92/0x180 drivers/video/fbdev/udlfb.c:1980 dlfb_set_video_mode+0x21f0/0x2950 drivers/video/fbdev/udlfb.c:315 dlfb_ops_set_par+0x2a7/0x8d0 drivers/video/fbdev/udlfb.c:1111 dlfb_usb_probe+0x149a/0x2710 drivers/video/fbdev/udlfb.c:1743 The current approach for this issue failed to catch the problem because it only checks for the existence of a bulk-OUT endpoint; it doesn't check whether this endpoint is the one that the driver will actually use. We can fix the problem by instead checking that the endpoint used by the driver does exist and is bulk-OUT.

Package Linux Kernel

Published 2025-12-30

Last modified 2026-04-15

Patch available

Yes

Affected versions

Linux kernel versions 5.4.192, 5.10.114, 5.15.38, 5.17.6, 5.18 and later are affected. Fixed in 5.4.244, 5.10.181, 5.15.114, 6.1.31, 6.3.5, 6.4 and their respective stable series.

Affected from

≥ 5.4.192 ≥ 5.10.114 ≥ 5.15.38 ≥ 5.17.6 ≥ 5.18

Fixed in

✓ 5.4.244 5.4.x ✓ 5.10.181 5.10.x ✓ 5.15.114 5.15.x ✓ 6.1.31 6.1.x ✓ 6.3.5 6.3.x ✓ 6.4

References

The following references provide additional information about CVE-2023-54277 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/1522dc58bff87af79461b96d90ec122e9e726004
Patch
Kernel patch commit
https://git.kernel.org/stable/c/58ecc165abdaed85447455e6dc396758e8c6f219
Patch
Kernel patch commit
https://git.kernel.org/stable/c/9e12c58a5ece41be72157cef348576b135c9fc72
Patch

6 patch commits total View all on NVD

Frequently asked questions

What is CVE-2023-54277?

CVE-2023-54277 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 5.4.192 onward and has been patched in 5.4.244, 5.10.181, 5.15.114 and others. CVE-2023-54277 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
Is there a patch available for CVE-2023-54277?

Yes — CVE-2023-54277 has been patched. Fixed versions include 5.4.244, 5.10.181, 5.15.114 and others. If you are running Linux kernel 5.4.192 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2023-54277 actively exploited?

No — CVE-2023-54277 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.