{ "threat_severity" : "Low", "public_date" : "2025-12-24T00:00:00Z", "bugzilla" : { "description" : "kernel: opp: Fix use-after-free in lazy_opp_tables after probe deferral", "id" : "2424932", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2424932" }, "cvss3" : { "cvss3_base_score" : "4.7", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-825", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nopp: Fix use-after-free in lazy_opp_tables after probe deferral\nWhen dev_pm_opp_of_find_icc_paths() in _allocate_opp_table() returns\n-EPROBE_DEFER, the opp_table is freed again, to wait until all the\ninterconnect paths are available.\nHowever, if the OPP table is using required-opps then it may already\nhave been added to the global lazy_opp_tables list. The error path\ndoes not remove the opp_table from the list again.\nThis can cause crashes later when the provider of the required-opps\nis added, since we will iterate over OPP tables that have already been\nfreed. E.g.:\nUnable to handle kernel NULL pointer dereference when read\nCPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.4.0-rc3\nPC is at _of_add_opp_table_v2 (include/linux/of.h:949\ndrivers/opp/of.c:98 drivers/opp/of.c:344 drivers/opp/of.c:404\ndrivers/opp/of.c:1032) -> lazy_link_required_opp_table()\nFix this by calling _of_clear_opp_table() to remove the opp_table from\nthe list and clear other allocated resources. While at it, also add the\nmissing mutex_destroy() calls in the error path.", "A flaw was found in the Linux kernel's OPP (Operating Performance Points) subsystem. When probe deferral occurs due to unavailable interconnect paths, the OPP table is freed but not removed from the global lazy_opp_tables list. This leads to a use-after-free when the required-opps provider is later added and iterates over the freed table, causing a kernel crash." ], "statement" : "This vulnerability affects systems using device tree OPP tables with required-opps dependencies and interconnect paths. The issue occurs during driver probe deferral, a transient condition during boot. Once the system is fully booted, the race window closes. The impact is limited to denial of service during system initialization.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-54026\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-54026\nhttps://lore.kernel.org/linux-cve-announce/2025122435-CVE-2023-54026-123c@gregkh/T" ], "name" : "CVE-2023-54026", "csaw" : false }