{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-53497", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-10-01T11:39:39.403Z", "datePublished": "2025-10-01T11:45:48.728Z", "dateUpdated": "2025-10-01T11:45:48.728Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-10-01T11:45:48.728Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vsp1: Replace vb2_is_streaming() with vb2_start_streaming_called()\n\nThe vsp1 driver uses the vb2_is_streaming() function in its .buf_queue()\nhandler to check if the .start_streaming() operation has been called,\nand decide whether to just add the buffer to an internal queue, or also\ntrigger a hardware run. vb2_is_streaming() relies on the vb2_queue\nstructure's streaming field, which used to be set only after calling the\n.start_streaming() operation.\n\nCommit a10b21532574 (\"media: vb2: add (un)prepare_streaming queue ops\")\nchanged this, setting the .streaming field in vb2_core_streamon() before\nenqueuing buffers to the driver and calling .start_streaming(). This\nbroke the vsp1 driver which now believes that .start_streaming() has\nbeen called when it hasn't, leading to a crash:\n\n[ 881.058705] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020\n[ 881.067495] Mem abort info:\n[ 881.070290] ESR = 0x0000000096000006\n[ 881.074042] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 881.079358] SET = 0, FnV = 0\n[ 881.082414] EA = 0, S1PTW = 0\n[ 881.085558] FSC = 0x06: level 2 translation fault\n[ 881.090439] Data abort info:\n[ 881.093320] ISV = 0, ISS = 0x00000006\n[ 881.097157] CM = 0, WnR = 0\n[ 881.100126] user pgtable: 4k pages, 48-bit VAs, pgdp=000000004fa51000\n[ 881.106573] [0000000000000020] pgd=080000004f36e003, p4d=080000004f36e003, pud=080000004f7ec003, pmd=0000000000000000\n[ 881.117217] Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP\n[ 881.123494] Modules linked in: rcar_fdp1 v4l2_mem2mem\n[ 881.128572] CPU: 0 PID: 1271 Comm: yavta Tainted: G B 6.2.0-rc1-00023-g6c94e2e99343 #556\n[ 881.138061] Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT)\n[ 881.145981] pstate: 400000c5 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 881.152951] pc : vsp1_dl_list_add_body+0xa8/0xe0\n[ 881.157580] lr : vsp1_dl_list_add_body+0x34/0xe0\n[ 881.162206] sp : ffff80000c267710\n[ 881.165522] x29: ffff80000c267710 x28: ffff000010938ae8 x27: ffff000013a8dd98\n[ 881.172683] x26: ffff000010938098 x25: ffff000013a8dc00 x24: ffff000010ed6ba8\n[ 881.179841] x23: ffff00000faa4000 x22: 0000000000000000 x21: 0000000000000020\n[ 881.186998] x20: ffff00000faa4000 x19: 0000000000000000 x18: 0000000000000000\n[ 881.194154] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\n[ 881.201309] x14: 0000000000000000 x13: 746e696174206c65 x12: ffff70000157043d\n[ 881.208465] x11: 1ffff0000157043c x10: ffff70000157043c x9 : dfff800000000000\n[ 881.215622] x8 : ffff80000ab821e7 x7 : 00008ffffea8fbc4 x6 : 0000000000000001\n[ 881.222779] x5 : ffff80000ab821e0 x4 : ffff70000157043d x3 : 0000000000000020\n[ 881.229936] x2 : 0000000000000020 x1 : ffff00000e4f6400 x0 : 0000000000000000\n[ 881.237092] Call trace:\n[ 881.239542] vsp1_dl_list_add_body+0xa8/0xe0\n[ 881.243822] vsp1_video_pipeline_run+0x270/0x2a0\n[ 881.248449] vsp1_video_buffer_queue+0x1c0/0x1d0\n[ 881.253076] __enqueue_in_driver+0xbc/0x260\n[ 881.257269] vb2_start_streaming+0x48/0x200\n[ 881.261461] vb2_core_streamon+0x13c/0x280\n[ 881.265565] vb2_streamon+0x3c/0x90\n[ 881.269064] vsp1_video_streamon+0x2fc/0x3e0\n[ 881.273344] v4l_streamon+0x50/0x70\n[ 881.276844] __video_do_ioctl+0x2bc/0x5d0\n[ 881.280861] video_usercopy+0x2a8/0xc80\n[ 881.284704] video_ioctl2+0x20/0x40\n[ 881.288201] v4l2_ioctl+0xa4/0xc0\n[ 881.291525] __arm64_sys_ioctl+0xe8/0x110\n[ 881.295543] invoke_syscall+0x68/0x190\n[ 881.299303] el0_svc_common.constprop.0+0x88/0x170\n[ 881.304105] do_el0_svc+0x4c/0xf0\n[ 881.307430] el0_svc+0x4c/0xa0\n[ 881.310494] el0t_64_sync_handler+0xbc/0x140\n[ 881.314773] el0t_64_sync+0x190/0x194\n[ 881.318450] Code: d50323bf d65f03c0 91008263 f9800071 (885f7c60)\n[ 881.324551] ---[ end trace 0000000000000000 ]---\n[ 881.329173] note: yavta[1271] exited with preempt_count 1\n\nA different r\n---truncated---"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/media/platform/renesas/vsp1/vsp1_video.c"], "versions": [{"version": "a10b215325740376ed551814a37d1f8e9d6b1ced", "lessThan": "960dc0aa4aa149f6f39125394f4feb51b7addc60", "status": "affected", "versionType": "git"}, {"version": "a10b215325740376ed551814a37d1f8e9d6b1ced", "lessThan": "b54f74214adf4e77cba6badf488c564dd353b491", "status": "affected", "versionType": "git"}, {"version": "a10b215325740376ed551814a37d1f8e9d6b1ced", "lessThan": "52d8caca3d533cc499f1255be25576ffd936ec95", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/media/platform/renesas/vsp1/vsp1_video.c"], "versions": [{"version": "6.2", "status": "affected"}, {"version": "0", "lessThan": "6.2", "status": "unaffected", "versionType": "semver"}, {"version": "6.2.15", "lessThanOrEqual": "6.2.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.3.2", "lessThanOrEqual": "6.3.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.4", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.2.15"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.3.2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.4"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/960dc0aa4aa149f6f39125394f4feb51b7addc60"}, {"url": "https://git.kernel.org/stable/c/b54f74214adf4e77cba6badf488c564dd353b491"}, {"url": "https://git.kernel.org/stable/c/52d8caca3d533cc499f1255be25576ffd936ec95"}], "title": "media: vsp1: Replace vb2_is_streaming() with vb2_start_streaming_called()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "3844A90B-940D-46C3-8D7B-9FF63F1AFC2F", "versionEndExcluding": "6.2.15", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "38F6F330-91A0-4675-8B90-6F950471A7CC", "versionEndExcluding": "6.3.2", "versionStartIncluding": "6.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vsp1: Replace vb2_is_streaming() with vb2_start_streaming_called()\n\nThe vsp1 driver uses the vb2_is_streaming() function in its .buf_queue()\nhandler to check if the .start_streaming() operation has been called,\nand decide whether to just add the buffer to an internal queue, or also\ntrigger a hardware run. vb2_is_streaming() relies on the vb2_queue\nstructure's streaming field, which used to be set only after calling the\n.start_streaming() operation.\n\nCommit a10b21532574 (\"media: vb2: add (un)prepare_streaming queue ops\")\nchanged this, setting the .streaming field in vb2_core_streamon() before\nenqueuing buffers to the driver and calling .start_streaming(). This\nbroke the vsp1 driver which now believes that .start_streaming() has\nbeen called when it hasn't, leading to a crash:\n\n[ 881.058705] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020\n[ 881.067495] Mem abort info:\n[ 881.070290] ESR = 0x0000000096000006\n[ 881.074042] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 881.079358] SET = 0, FnV = 0\n[ 881.082414] EA = 0, S1PTW = 0\n[ 881.085558] FSC = 0x06: level 2 translation fault\n[ 881.090439] Data abort info:\n[ 881.093320] ISV = 0, ISS = 0x00000006\n[ 881.097157] CM = 0, WnR = 0\n[ 881.100126] user pgtable: 4k pages, 48-bit VAs, pgdp=000000004fa51000\n[ 881.106573] [0000000000000020] pgd=080000004f36e003, p4d=080000004f36e003, pud=080000004f7ec003, pmd=0000000000000000\n[ 881.117217] Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP\n[ 881.123494] Modules linked in: rcar_fdp1 v4l2_mem2mem\n[ 881.128572] CPU: 0 PID: 1271 Comm: yavta Tainted: G B 6.2.0-rc1-00023-g6c94e2e99343 #556\n[ 881.138061] Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT)\n[ 881.145981] pstate: 400000c5 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 881.152951] pc : vsp1_dl_list_add_body+0xa8/0xe0\n[ 881.157580] lr : vsp1_dl_list_add_body+0x34/0xe0\n[ 881.162206] sp : ffff80000c267710\n[ 881.165522] x29: ffff80000c267710 x28: ffff000010938ae8 x27: ffff000013a8dd98\n[ 881.172683] x26: ffff000010938098 x25: ffff000013a8dc00 x24: ffff000010ed6ba8\n[ 881.179841] x23: ffff00000faa4000 x22: 0000000000000000 x21: 0000000000000020\n[ 881.186998] x20: ffff00000faa4000 x19: 0000000000000000 x18: 0000000000000000\n[ 881.194154] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\n[ 881.201309] x14: 0000000000000000 x13: 746e696174206c65 x12: ffff70000157043d\n[ 881.208465] x11: 1ffff0000157043c x10: ffff70000157043c x9 : dfff800000000000\n[ 881.215622] x8 : ffff80000ab821e7 x7 : 00008ffffea8fbc4 x6 : 0000000000000001\n[ 881.222779] x5 : ffff80000ab821e0 x4 : ffff70000157043d x3 : 0000000000000020\n[ 881.229936] x2 : 0000000000000020 x1 : ffff00000e4f6400 x0 : 0000000000000000\n[ 881.237092] Call trace:\n[ 881.239542] vsp1_dl_list_add_body+0xa8/0xe0\n[ 881.243822] vsp1_video_pipeline_run+0x270/0x2a0\n[ 881.248449] vsp1_video_buffer_queue+0x1c0/0x1d0\n[ 881.253076] __enqueue_in_driver+0xbc/0x260\n[ 881.257269] vb2_start_streaming+0x48/0x200\n[ 881.261461] vb2_core_streamon+0x13c/0x280\n[ 881.265565] vb2_streamon+0x3c/0x90\n[ 881.269064] vsp1_video_streamon+0x2fc/0x3e0\n[ 881.273344] v4l_streamon+0x50/0x70\n[ 881.276844] __video_do_ioctl+0x2bc/0x5d0\n[ 881.280861] video_usercopy+0x2a8/0xc80\n[ 881.284704] video_ioctl2+0x20/0x40\n[ 881.288201] v4l2_ioctl+0xa4/0xc0\n[ 881.291525] __arm64_sys_ioctl+0xe8/0x110\n[ 881.295543] invoke_syscall+0x68/0x190\n[ 881.299303] el0_svc_common.constprop.0+0x88/0x170\n[ 881.304105] do_el0_svc+0x4c/0xf0\n[ 881.307430] el0_svc+0x4c/0xa0\n[ 881.310494] el0t_64_sync_handler+0xbc/0x140\n[ 881.314773] el0t_64_sync+0x190/0x194\n[ 881.318450] Code: d50323bf d65f03c0 91008263 f9800071 (885f7c60)\n[ 881.324551] ---[ end trace 0000000000000000 ]---\n[ 881.329173] note: yavta[1271] exited with preempt_count 1\n\nA different r\n---truncated---"}], "id": "CVE-2023-53497", "lastModified": "2026-01-16T20:47:28.777", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-10-01T12:15:53.090", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/52d8caca3d533cc499f1255be25576ffd936ec95"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/960dc0aa4aa149f6f39125394f4feb51b7addc60"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b54f74214adf4e77cba6badf488c564dd353b491"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: media: vsp1: Replace vb2_is_streaming() with vb2_start_streaming_called()", "id": "2400794", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2400794"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2023-53497", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:rhivos:1", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat In-Vehicle Operating System 1"}], "public_date": "2025-10-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-53497\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53497\nhttps://lore.kernel.org/linux-cve-announce/2025100125-CVE-2023-53497-e3a3@gregkh/T"], "threat_severity": "Moderate"}

{"created": "2025-10-02T08:38:40.574568+00:00", "updated": "2025-10-02T08:38:40.574620+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}