DEBIAN-CVE-2023-53515

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2023-53515

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2023-53515.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2023-53515

Upstream

CVE-2023-53515

Published

2025-10-01T12:15:55Z

Modified

2025-10-02T09:25:41.391128Z

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved: virtio-mmio: don't break lifecycle of vmdev vmdev has a separate lifecycle because it has a 'struct device' embedded. Thus, having a release callback for it is correct. Allocating the vmdev struct with devres totally breaks this protection, though. Instead of waiting for the vmdev release callback, the memory is freed when the platformdevice is removed. Resulting in a use-after-free when finally the callback is to be called. To easily see the problem, compile the kernel with CONFIGDEBUGKOBJECTRELEASE and unbind with sysfs. The fix is easy, don't use devres in this case. Found during my research about object lifetime problems.

References

https://security-tracker.debian.org/tracker/CVE-2023-53515

Affected packages

Debian:11 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.10.197-1

Affected versions

5.*

5.10.46-4

5.10.46-5

5.10.70-1~bpo10+1

5.10.70-1

5.10.84-1

5.10.92-1~bpo10+1

5.10.92-1

5.10.92-2

5.10.103-1~bpo10+1

5.10.103-1

5.10.106-1

5.10.113-1

5.10.120-1~bpo10+1

5.10.120-1

5.10.127-1

5.10.127-2~bpo10+1

5.10.127-2

5.10.136-1

5.10.140-1

5.10.148-1

5.10.149-1

5.10.149-2

5.10.158-1

5.10.158-2

5.10.162-1

5.10.178-1

5.10.178-2

5.10.178-3

5.10.179-1

5.10.179-2

5.10.179-3

5.10.179-4

5.10.179-5

5.10.191-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.1.52-1

Affected versions

6.*

6.1.27-1

6.1.37-1

6.1.38-1

6.1.38-2~bpo11+1

6.1.38-2

6.1.38-3

6.1.38-4~bpo11+1

6.1.38-4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.4.13-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.4.13-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}