{
  "threat_severity" : "Low",
  "public_date" : "2025-10-04T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: drivers: base: Free devm resources when unregistering a device",
    "id" : "2401501",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2401501"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-771",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ndrivers: base: Free devm resources when unregistering a device\nIn the current code, devres_release_all() only gets called if the device\nhas a bus and has been probed.\nThis leads to issues when using bus-less or driver-less devices where\nthe device might never get freed if a managed resource holds a reference\nto the device. This is happening in the DRM framework for example.\nWe should thus call devres_release_all() in the device_del() function to\nmake sure that the device-managed actions are properly executed when the\ndevice is unregistered, even if it has neither a bus nor a driver.\nThis is effectively the same change than commit 2f8d16a996da (\"devres:\nrelease resources on device_del()\") that got reverted by commit\na525a3ddeaca (\"driver core: free devres in device_release\") over\nmemory leaks concerns.\nThis patch effectively combines the two commits mentioned above to\nrelease the resources both on device_del() and device_release() and get\nthe best of both worlds.", "A resource management issue was found in the Linux kernel's driver core regarding device-managed (devm) resource cleanup. When devices without buses or drivers are unregistered, their managed resources aren't properly freed because devres_release_all is only called for devices that have been probed. This causes resource leaks—particularly problematic when managed resources hold references to the device itself—preventing device objects from ever being freed and leading to denial of service through resource exhaustion." ],
  "statement" : "The device-managed resource API (devm) allows drivers to tie resource allocations to device lifetimes. Historically, devres_release_all was called only during driver unbinding (in the driver probe failure or remove paths). This worked fine for traditional bus-based, driver-bound devices. However, some subsystems—particularly DRM/graphics—use device objects without traditional bus/driver bindings. For these devices, if a devm resource holds a reference to the device, you get a circular dependency: the device can't be released until resources are freed, but resources won't be freed until the device is released. This actually triggered a previous fix attempt (commit 2f8d16a996da) that was later reverted (commit a525a3ddeaca) due to double-free issues. The current fix calls devres_release_all in both device_del (during unregistration) and device_release (during final teardown), breaking the circular dependency while avoiding the earlier problems.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-11-12T00:00:00Z",
    "advisory" : "RHSA-2024:9315",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-503.11.1.el9_5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-11-12T00:00:00Z",
    "advisory" : "RHSA-2024:9315",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-503.11.1.el9_5"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53596\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53596\nhttps://lore.kernel.org/linux-cve-announce/2025100429-CVE-2023-53596-dbfb@gregkh/T" ],
  "name" : "CVE-2023-53596",
  "csaw" : false
}