CVE-2023-53596
Analyzed Analyzed - Analysis Complete

BaseFortify

Vulnerability report for CVE-2023-53596, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-10-04

Last updated on: 2026-06-18

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: drivers: base: Free devm resources when unregistering a device In the current code, devres_release_all() only gets called if the device has a bus and has been probed. This leads to issues when using bus-less or driver-less devices where the device might never get freed if a managed resource holds a reference to the device. This is happening in the DRM framework for example. We should thus call devres_release_all() in the device_del() function to make sure that the device-managed actions are properly executed when the device is unregistered, even if it has neither a bus nor a driver. This is effectively the same change than commit 2f8d16a996da ("devres: release resources on device_del()") that got reverted by commit a525a3ddeaca ("driver core: free devres in device_release") over memory leaks concerns. This patch effectively combines the two commits mentioned above to release the resources both on device_del() and device_release() and get the best of both worlds.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-10-04
Last Modified
2026-06-18
Generated
2026-07-06
AI Q&A
2025-10-04
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.5 (inc) to 6.5.3 (exc)
linux linux_kernel From 6.2 (inc) to 6.4.16 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.53 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.209 (exc)
linux linux_kernel From 3.7 (inc) to 5.10.258 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-415 The product calls free() twice on the same memory address.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in the Linux kernel involves improper freeing of device-managed resources when unregistering devices that do not have a bus or driver. Specifically, the function devres_release_all() was only called if the device had a bus and had been probed, which caused resources to not be released for bus-less or driver-less devices. This could lead to resource leaks, for example in the DRM framework. The fix ensures devres_release_all() is called in the device_del() function to properly release resources even if the device lacks a bus or driver.

Impact Analysis

This vulnerability can cause resource leaks in the Linux kernel when devices without a bus or driver are unregistered. Such leaks may lead to increased memory usage and potentially degrade system stability or performance over time, especially in subsystems like DRM that use bus-less or driver-less devices.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2023-53596. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart