VYPR
High severity7.8NVD Advisory· Published Oct 1, 2025· Updated Apr 6, 2026

CVE-2023-53515

CVE-2023-53515

Description

In the Linux kernel, the following vulnerability has been resolved:

virtio-mmio: don't break lifecycle of vm_dev

vm_dev has a separate lifecycle because it has a 'struct device' embedded. Thus, having a release callback for it is correct.

Allocating the vm_dev struct with devres totally breaks this protection, though. Instead of waiting for the vm_dev release callback, the memory is freed when the platform_device is removed. Resulting in a use-after-free when finally the callback is to be called.

To easily see the problem, compile the kernel with CONFIG_DEBUG_KOBJECT_RELEASE and unbind with sysfs.

The fix is easy, don't use devres in this case.

Found during my research about object lifetime problems.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

173

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.