CVE-2023-54026
Unknown Unknown - Not Provided
Use-After-Free in Linux Kernel OPP Tables Causes Kernel Crash

Publication date: 2025-12-24

Last updated on: 2025-12-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: opp: Fix use-after-free in lazy_opp_tables after probe deferral When dev_pm_opp_of_find_icc_paths() in _allocate_opp_table() returns -EPROBE_DEFER, the opp_table is freed again, to wait until all the interconnect paths are available. However, if the OPP table is using required-opps then it may already have been added to the global lazy_opp_tables list. The error path does not remove the opp_table from the list again. This can cause crashes later when the provider of the required-opps is added, since we will iterate over OPP tables that have already been freed. E.g.: Unable to handle kernel NULL pointer dereference when read CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.4.0-rc3 PC is at _of_add_opp_table_v2 (include/linux/of.h:949 drivers/opp/of.c:98 drivers/opp/of.c:344 drivers/opp/of.c:404 drivers/opp/of.c:1032) -> lazy_link_required_opp_table() Fix this by calling _of_clear_opp_table() to remove the opp_table from the list and clear other allocated resources. While at it, also add the missing mutex_destroy() calls in the error path.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-24
Last Modified
2025-12-24
Generated
2026-05-07
AI Q&A
2025-12-24
EPSS Evaluated
2026-05-05
NVD
CVE-2023-54026
EUVD
EUVD-2025-205119
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux kernel *
linux linux_kernel 6.4.0-rc3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a use-after-free bug in the Linux kernel's OPP (Operating Performance Points) subsystem. When the function dev_pm_opp_of_find_icc_paths() returns -EPROBE_DEFER during the allocation of an OPP table, the table is freed to wait for interconnect paths. However, if the OPP table uses required-opps and has already been added to a global list (lazy_opp_tables), it is not removed from that list upon freeing. This leads to the kernel later accessing freed memory when iterating over these tables, causing crashes such as NULL pointer dereferences.


How can this vulnerability impact me? :

This vulnerability can cause system instability and crashes in the Linux kernel due to use-after-free errors. Specifically, it may lead to kernel NULL pointer dereferences and crashes when the system tries to access freed OPP tables. This can affect the reliability and availability of systems running vulnerable Linux kernel versions.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by updating the Linux kernel to a version that includes the patch for the use-after-free in lazy_opp_tables after probe deferral. Immediate mitigation involves applying the updated kernel that calls _of_clear_opp_table() to properly remove the opp_table from the list and clear allocated resources, and includes the missing mutex_destroy() calls in the error path.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart