CVE-2023-54143

Vulnerability

In the Linux kernel's Mediatek video codec driver, the function vdec_msg_queue_init() has multiple error paths that fail to release previously allocated resources. Specifically, if an early allocation for msg_queue->wdma_addr fails, the cleanup function vdec_msg_queue_deinit() becomes a no-op because it checks the size field before freeing memory, leaving the allocated memory unreleased [1].

Exploitation

This vulnerability is only exploitable by a local attacker who can trigger the initialization of the Mediatek video codec hardware, for example by invoking video decoding operations that cause vdec_msg_queue_init() to fail due to memory pressure. The attack requires local access to the system and the ability to allocate kernel memory, such as through a crafted video stream or a malicious application [1].

Impact

If triggered repeatedly, the memory leaks can exhaust kernel memory, leading to denial of service (DoS) by causing system instability or preventing new allocations. The vulnerability does not directly allow code execution or privilege escalation, as it only involves memory not being freed [1].

Mitigation

The fix was committed to the Linux kernel stable tree on 2025-12-24. The patch ensures that on any error path within vdec_msg_queue_init(), the msg_queue->wdma_addr.size is set to zero so that vdec_msg_queue_deinit() can properly clean up, and the error paths are redirected to common cleanup code [1]. Users should update their kernel to include commit 858322c409e0aba8f70810d23f35c482744f007c.