CVE-2023-54091

Root

Cause CVE-2023-54091 describes a memory leak in the Linux kernel's DRM subsystem. In the function drm_client_target_cloned(), a display mode (dmt_mode) is allocated via drm_mode_duplicate() but is never freed. This means every invocation of this function loses 128 bytes of kernel memory, as confirmed by a kmemleak report [1][2][3][4]. The leak is triggered during client mode probing, which happens when a DRM device initializes its framebuffer configuration.

Exploitation

Conditions An attacker does not need special privileges to trigger the leak; it occurs automatically during normal operation of affected drivers. The vulnerability was found with the AST (ASpeed) driver, but the description notes that most drivers using the generic framebuffer (fbdev) setup are likely affected. The leak is reproducible without any explicit user input, as it happens during system boot or hotplug events when the drm_fbdev_client_hotplug() function calls into the vulnerable code path [1].

Impact

The primary impact is resource exhaustion. By repeatedly triggering DRM client initialization—for instance through repeated hotplug events or system resume cycles—an attacker could exhaust system memory, leading to denial of service (DoS). The kernel's kmemleak tool detects the leak as an "unreferenced object" of size 128 bytes, indicating the memory is permanently lost. No code execution or privilege escalation is possible; the leak is purely a memory resource drain.

Mitigation

The fix has been applied in multiple Linux stable kernel branches [2][3][4]. The patch simply adds a kfree(dmt_mode) call in the appropriate cleanup path. Users should update their kernel to a version that includes the commit, such as those referenced in the stable kernels. There is no known workaround beyond applying the kernel patch.