CVE-2023-52893

gsmi: fix null-deref in gsmi_get_variable

Description

In the Linux kernel, the following vulnerability has been resolved: gsmi: fix null-deref in gsmi_get_variable We can get EFI variables without fetching the attribute, so we must allow for that in gsmi. commit 859748255b43 ("efi: pstore: Omit efivars caching EFI varstore access layer") added a new get_variable call with attr=NULL, which triggers panic in gsmi.

Category

5.5
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.05%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/ee5763ef829bd923033510de6d1df7c73f085e4b patch
https://git.kernel.org/stable/c/32313c11bdc8a02c577abaf865be3664ab30410a patch
https://git.kernel.org/stable/c/ffef77794fb5f1245c3249b86342bad2299accb5 patch
https://git.kernel.org/stable/c/ae2a9dcc8caa60b1e14671294e5ec902ea5d1dfd patch
https://git.kernel.org/stable/c/eb0421d90f916dffe96b4c049ddf01c0c50620d2 patch
https://git.kernel.org/stable/c/6646d769fdb0ce4318ef9afd127f8526d1ca8393 patch
https://git.kernel.org/stable/c/a769b05eeed7accc4019a1ed9799dd72067f1ce8 patch

Frequently Asked Questions

What is the severity of CVE-2023-52893?
CVE-2023-52893 has been scored as a medium severity vulnerability.
How to fix CVE-2023-52893?
To fix CVE-2023-52893, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-52893 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-52893 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-52893?
CVE-2023-52893 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.