CVE-2023-53729: 
Linux Kernel vulnerability analysis and mitigation

CVE-2023-53729 is a vulnerability discovered in the Linux kernel's Qualcomm Messaging Interface (QMI) string decoder component, disclosed on October 22, 2025. The vulnerability affects the soc:qcom:qmi_encdec module, specifically in how it handles string length in the decode function (Red Hat CVE, NVD).

The vulnerability occurs when the QMI TLV value for strings in qmi element info structures accounts for null-terminated strings with MAXLEN + 1. If a string's length equals MAXLEN + 1, it causes an out-of-bounds access when the NULL character is appended during decoding. The vulnerability has been assigned a CVSS v3.1 base score of 6.6 with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H and is classified as CWE-787 (Red Hat CVE).

The vulnerability could lead to kernel memory corruption and potential denial-of-service if malformed QMI messages are processed, for example through a compromised modem or firmware-controlled interface. This could affect system stability and potentially lead to system crashes (Red Hat CVE).

Multiple Linux distributions have released patches to address this vulnerability. Ubuntu has released fixes for various kernel versions including 5.15.0-94.104 for 22.04 LTS and 5.4.0-169.187 for 20.04 LTS. Red Hat has deferred fixes for Enterprise Linux 8 and 9, while versions 6 and 7 are not affected (Ubuntu Security).