CVE-2023-53124: 
Linux Kernel vulnerability analysis and mitigation

CVE-2023-53124 is a vulnerability discovered in the Linux kernel's SCSI subsystem, specifically affecting the mpt3sas driver. The vulnerability was published on May 2, 2025, and involves a NULL pointer access issue in the mpt3sastransportport_add() function (NVD, Wiz).

The vulnerability occurs when handling port allocation in the mpt3sas driver. The issue arises because ports allocated by sasportallocnum() and rphy allocated by either sasenddevicealloc() or sasexpanderalloc() may return NULL. Additionally, if sasrphyadd() returns with failure, rphy is set to NULL, leading to subsequent NULL pointer access in the following code lines. The vulnerability has been assigned a CVSS base score of 5.5 with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (Wiz).

The vulnerability could lead to NULL pointer dereference in the Linux kernel's SCSI subsystem, potentially causing system crashes or denial of service conditions. This affects various Linux distributions including Oracle Linux's Unbreakable Enterprise kernel (Wiz).

The vulnerability has been fixed in various Linux distributions. Debian has addressed this in versions bullseye 5.10.178-1, bookworm 6.1.129-1, and trixie 6.12.22-1. Ubuntu has released fixes for multiple versions including 22.04 LTS (5.15.0-79.86), 20.04 LTS (5.4.0-156.173), and 18.04 LTS (Debian Security, Ubuntu).