{ "threat_severity" : "Moderate", "public_date" : "2025-10-04T00:00:00Z", "bugzilla" : { "description" : "kernel: clk: imx: scu: use _safe list iterator to avoid a use after free", "id" : "2401503", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2401503" }, "cvss3" : { "cvss3_base_score" : "4.7", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-825", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nclk: imx: scu: use _safe list iterator to avoid a use after free\nThis loop is freeing \"clk\" so it needs to use list_for_each_entry_safe().\nOtherwise it dereferences a freed variable to get the next item on the\nloop.", "A use-after-free flaw was found in the Linux kernel's i.MX system control unit clock driver in the error cleanup path. \nA local user can trigger this issue during clock initialization failure scenarios on i.MX hardware with System Control Unit firmware, where the cleanup loop incorrectly uses a standard list iterator instead of the safe variant while freeing clock structures. This causes the kernel to dereference freed memory when traversing to the next list element, resulting in memory corruption that can lead to a crash or denial of service." ], "statement" : "The bug appears in the cleanup path that executes when SCU clock registration fails. The code walks a linked list of clock structures, freeing each one, but uses list_for_each_entry() instead of list_for_each_entry_safe(). Since the macro dereferences the current entry to find the next pointer, freeing the entry first creates a use-after-free when the loop tries to advance. Exploitation requires triggering a clock initialization failure, which typically happens only during early boot on specific i.MX platforms with SCU firmware (like i.MX8QM or i.MX8QXP).", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-11-12T00:00:00Z", "advisory" : "RHSA-2024:9315", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-503.11.1.el9_5" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-11-12T00:00:00Z", "advisory" : "RHSA-2024:9315", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-503.11.1.el9_5" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53572\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53572\nhttps://lore.kernel.org/linux-cve-announce/2025100453-CVE-2023-53572-ab85@gregkh/T" ], "name" : "CVE-2023-53572", "csaw" : false }