Unrated severityNVD Advisory· Published Oct 7, 2025

clk: microchip: fix potential UAF in auxdev release callback

CVE-2023-53636

Description

In the Linux kernel, the following vulnerability has been resolved:

Similar to commit 1c11289b34ab ("peci: cpu: Fix use-after-free in adev_release()"), the auxiliary device is not torn down in the correct order. If auxiliary_device_add() fails, the release callback will be called twice, resulting in a UAF. Due to timing, the auxdev code in this driver "took inspiration" from the aforementioned commit, and thus its bugs too!

Moving auxiliary_device_uninit() to the unregister callback instead avoids the issue.

Affected products

Linux/Linuxv5
Range: 6.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

git.kernel.org/stable/c/5b4052aa956e11bcd19e50ca559eb38dcb46201bmitre
git.kernel.org/stable/c/7455b7007b9e93bcc2bc9c1c6c73a228e3152069mitre
git.kernel.org/stable/c/934406b2d42eaf3fc57f5546cc68ff7ab9680bb3mitre
git.kernel.org/stable/c/d7d6dacf39ed102d7667721ca1700022c9c8b11amitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000