CVE-2023-53636

Source
https://cve.org/CVERecord?id=CVE-2023-53636
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-53636.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-53636
Downstream
Published
2025-10-07T15:19:37.655Z
Modified
2026-07-15T01:49:15.224201753Z
Summary
clk: microchip: fix potential UAF in auxdev release callback
Details

In the Linux kernel, the following vulnerability has been resolved:

clk: microchip: fix potential UAF in auxdev release callback

Similar to commit 1c11289b34ab ("peci: cpu: Fix use-after-free in adevrelease()"), the auxiliary device is not torn down in the correct order. If auxiliarydevice_add() fails, the release callback will be called twice, resulting in a UAF. Due to timing, the auxdev code in this driver "took inspiration" from the aforementioned commit, and thus its bugs too!

Moving auxiliarydeviceuninit() to the unregister callback instead avoids the issue.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53636.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
b56bae2dd6fda6baf3bb74af3812676eebdd52f2
Fixed
5b4052aa956e11bcd19e50ca559eb38dcb46201b
Fixed
d7d6dacf39ed102d7667721ca1700022c9c8b11a
Fixed
934406b2d42eaf3fc57f5546cc68ff7ab9680bb3
Fixed
7455b7007b9e93bcc2bc9c1c6c73a228e3152069

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-53636.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.1.0
Fixed
6.1.28
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.2.15
Type
ECOSYSTEM
Events
Introduced
6.3.0
Fixed
6.3.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-53636.json"