CVE-2023-53676: 
Linux Kernel vulnerability analysis and mitigation

A buffer overflow vulnerability was discovered in the Linux kernel's iSCSI target implementation, specifically in the liotargetnaclinfoshow() function. The vulnerability was disclosed on October 7, 2025, and is tracked as CVE-2023-53676. This security issue affects the SCSI target subsystem in the Linux kernel (NVD, Ubuntu).

The vulnerability exists in the liotargetnaclinfoshow() function which uses sprintf() in a loop to print details for every iSCSI connection in a session without checking for the buffer length. When there are enough iSCSI connections, it becomes possible to overflow the buffer provided by configfs and corrupt the memory. The fix involves replacing sprintf() with sysfsemitat() that properly checks for buffer boundaries. The vulnerability has been assigned a CVSS v3.1 base score of 6.7 with vector CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (RedHat).

The vulnerability could lead to memory corruption when processing iSCSI connection details. The high CVSS impact scores for confidentiality, integrity, and availability (C:H/I:H/A:H) indicate that successful exploitation could result in significant system compromise, though this requires local access with high privileges (RedHat).

Multiple Linux distributions have released patches to address this vulnerability. Ubuntu has fixed this in various kernel versions including linux-hwe-5.15 (5.15.0-94.104~20.04.1) for 20.04 LTS and linux-azure (5.15.0-1056.64) for 22.04 LTS. Red Hat has deferred fixes for RHEL 7, 8, and 9 versions (Ubuntu, RedHat).