CVE-2023-53697

Vulnerability

Overview

CVE-2023-53697 is a memory leak vulnerability in the Linux kernel's NVDIMM (Non-Volatile Dual In-line Memory Module) subsystem. The issue resides in the unregister_nvdimm_pmu() function, where the memory allocated for nd_pmu->pmu.attr_groups during register_nvdimm_pmu() is not properly freed before the nd_pmu structure is deallocated via kfree(nd_pmu). This results in a memory leak, as the pointer to the allocated memory is lost without being released [1][2].

Exploitation and

Attack Surface

This vulnerability is triggered during the normal operation of unloading or removing an NVDIMM PMU (Performance Monitoring Unit) device. No special privileges beyond the ability to trigger device removal are required; however, the attack surface is limited to systems that utilize NVDIMM hardware and the associated kernel driver. An attacker with local access or the ability to cause device hot-unplug events could repeatedly trigger the leak, potentially exhausting system memory over time.

Impact

An attacker who can repeatedly trigger the unregister path may cause a gradual depletion of kernel memory, leading to denial of service (DoS) conditions. The leak does not directly allow arbitrary code execution or privilege escalation, but sustained exploitation could degrade system performance or cause instability.

Mitigation

The fix is included in Linux kernel stable updates. Patched versions are available via the kernel git repositories referenced in the CVE [1][2]. Users should update to a kernel version containing the commit that properly frees attr_groups before freeing nd_pmu. No workaround is available; updating the kernel is the recommended mitigation.