What is CVE-2023-54300?

CVE-2023-54300 is a unscored severity Linux kernel vulnerability, affecting Linux kernel versions from 2.6.35 onward and patched in 4.14.322, 4.19.291, 5.4.251 and others. CVE-2023-54300 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2023-54300?

CVE-2023-54300 has a CVSS score of pending NVD analysis out of 10, rated awaiting scoring severity.

Is there a patch available for CVE-2023-54300?

Yes, CVE-2023-54300 has been patched. Fixed versions include 4.14.322, 4.19.291, 5.4.251 and others. If you are running Linux kernel 2.6.35 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2023-54300 actively exploited?

CVE-2023-54300 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2023-54300

In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: avoid referencing uninit memory in ath9k_wmi_ctrl_rx For the reasons also described in commit b383e8abed41 ("wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg()"), ath9k_htc_rx_msg() should validate pkt_len before accessing the SKB. For example, the obtained SKB may have been badly constructed with pkt_len = 8. In this case, the SKB can only contain a valid htc_frame_hdr but after being processed in ath9k_htc_rx_msg() and passed to ath9k_wmi_ctrl_rx() endpoint RX handler, it is expected to have a WMI command header which should be located inside its data payload. Implement sanity checking inside ath9k_wmi_ctrl_rx(). Otherwise, uninit memory can be referenced. Tested on Qualcomm Atheros Communications AR9271 802.11n . Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Package Linux Kernel

Published 2025-12-30

Last modified 2026-04-15

Patch available

Yes

Affected versions

Linux kernel versions 2.6.35 and later are affected. Fixed in 4.14.322, 4.19.291, 5.4.251, 5.10.188, 5.15.121, 6.1.39, 6.3.13, 6.4.4, 6.5 and their respective stable series.

Affected from

≥ 2.6.35

Fixed in

✓ 4.14.322 4.14.x ✓ 4.19.291 4.19.x ✓ 5.4.251 5.4.x ✓ 5.10.188 5.10.x ✓ 5.15.121 5.15.x ✓ 6.1.39 6.1.x ✓ 6.3.13 6.3.x ✓ 6.4.4 6.4.x ✓ 6.5

References

The following references provide additional information about CVE-2023-54300 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/0bc12e41af4e3ae1f0efecc377f0514459df0707
Patch
Kernel patch commit
https://git.kernel.org/stable/c/250efb4d3f5b32a115ea6bf25437ba44a1b3c04f
Patch
Kernel patch commit
https://git.kernel.org/stable/c/28259ce4f1f1f9ab37fa817756c89098213d2fc0
Patch

9 patch commits total View all on NVD

Frequently asked questions

What is CVE-2023-54300?

CVE-2023-54300 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 2.6.35 onward and has been patched in 4.14.322, 4.19.291, 5.4.251 and others. CVE-2023-54300 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
Is there a patch available for CVE-2023-54300?

Yes — CVE-2023-54300 has been patched. Fixed versions include 4.14.322, 4.19.291, 5.4.251 and others. If you are running Linux kernel 2.6.35 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2023-54300 actively exploited?

No — CVE-2023-54300 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.