CVE-2023-53596
Modified Modified - Updated After Analysis
BaseFortify

Publication date: 2025-10-04

Last updated on: 2026-06-01

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: drivers: base: Free devm resources when unregistering a device In the current code, devres_release_all() only gets called if the device has a bus and has been probed. This leads to issues when using bus-less or driver-less devices where the device might never get freed if a managed resource holds a reference to the device. This is happening in the DRM framework for example. We should thus call devres_release_all() in the device_del() function to make sure that the device-managed actions are properly executed when the device is unregistered, even if it has neither a bus nor a driver. This is effectively the same change than commit 2f8d16a996da ("devres: release resources on device_del()") that got reverted by commit a525a3ddeaca ("driver core: free devres in device_release") over memory leaks concerns. This patch effectively combines the two commits mentioned above to release the resources both on device_del() and device_release() and get the best of both worlds.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-04
Last Modified
2026-06-01
Generated
2026-06-16
AI Q&A
2025-10-04
EPSS Evaluated
2026-06-15
NVD
CVE-2023-53596
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel From 6.5 (inc) to 6.5.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-415 The product calls free() twice on the same memory address.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the Linux kernel involves improper freeing of device-managed resources when unregistering devices that do not have a bus or driver. Specifically, the function devres_release_all() was only called if the device had a bus and had been probed, which caused resources to not be released for bus-less or driver-less devices. This could lead to resource leaks, for example in the DRM framework. The fix ensures devres_release_all() is called in the device_del() function to properly release resources even if the device lacks a bus or driver.

Impact Analysis

This vulnerability can cause resource leaks in the Linux kernel when devices without a bus or driver are unregistered. Such leaks may lead to increased memory usage and potentially degrade system stability or performance over time, especially in subsystems like DRM that use bus-less or driver-less devices.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2023-53596. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart