CVE-2023-53124: 
Linux Kernel vulnerability analysis and mitigation

A vulnerability has been identified in the Linux kernel affecting the SCSI subsystem, specifically in the mpt3sas driver. The vulnerability (CVE-2023-53124) involves a NULL pointer access issue in the mpt3sastransportport_add() function. This vulnerability was published on May 02, 2025 (NVD).

The vulnerability occurs when handling port allocation in the mpt3sas driver. The issue arises because ports allocated by sasportallocnum() and rphy allocated by either sasenddevicealloc() or sasexpanderalloc() may return NULL. Additionally, if sasrphyadd() returns with failure, rphy is set to NULL. The code then proceeds to access the rphy in subsequent lines, resulting in NULL pointer access (Debian Security).

The vulnerability could lead to NULL pointer dereference in the Linux kernel's SCSI subsystem, potentially causing system crashes or denial of service conditions. This affects various Linux distributions including Oracle Linux's Unbreakable Enterprise kernel with a CVSS base score of 4.7 (Oracle Linux).

The vulnerability has been fixed in various Linux distributions. Debian has addressed this in versions bullseye 5.10.178-1, bookworm 6.1.129-1, and trixie 6.12.22-1. Oracle Linux has also released patches for their Unbreakable Enterprise kernel (Debian Security).