CVE-2023-54183
Description
In the Linux kernel, the following vulnerability has been resolved:
media: v4l2-core: Fix a potential resource leak in v4l2_fwnode_parse_link()
If fwnode_graph_get_remote_endpoint() fails, 'fwnode' is known to be NULL, so fwnode_handle_put() is a no-op.
Release the reference taken from a previous fwnode_graph_get_port_parent() call instead.
Also handle fwnode_graph_get_port_parent() failures.
In order to fix these issues, add an error handling path to the function and the needed gotos.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A resource leak in the Linux kernel's v4l2_fwnode_parse_link() function could cause memory exhaustion if fwnode_graph_get_remote_endpoint() fails.
Vulnerability
Overview
CVE-2023-54183 is a resource leak vulnerability in the Linux kernel's Video for Linux 2 (V4L2) subsystem, specifically in the v4l2_fwnode_parse_link() function. The function parses firmware node links for video devices. The root cause is improper error handling: when fwnode_graph_get_remote_endpoint() fails, the code previously only called fwnode_handle_put() on the already-NULL fwnode pointer, which is a no-op. This meant the reference taken earlier by fwnode_graph_get_port_parent() was never released, leading to a reference count leak. Additionally, the function did not handle failures of fwnode_graph_get_port_parent() itself, which could leave the system in an inconsistent state.
Exploitation and
Attack Surface
To exploit this vulnerability, an attacker would need to trigger a failure in fwnode_graph_get_remote_endpoint() while the kernel is parsing a V4L2 firmware node link. This could be achieved by providing a malformed or incomplete device tree or ACPI table that causes the endpoint lookup to fail. The attack requires local access to the system or the ability to influence firmware node data (e.g., via a malicious peripheral device). No authentication is needed beyond the ability to trigger the parsing, which may occur during device enumeration or hotplug events.
Impact
If successfully triggered, the reference leak causes the kernel to hold an extra reference on a firmware node object indefinitely. Repeated exploitation could exhaust kernel memory, leading to a denial-of-service (DoS) condition. The vulnerability does not directly allow code execution or privilege escalation, but memory exhaustion can crash the system or make it unresponsive.
Mitigation
The fix was applied in Linux kernel stable releases via commits [1], [2], [3], and [4]. The patch adds proper error handling: it releases the reference from fwnode_graph_get_port_parent() when fwnode_graph_get_remote_endpoint() fails, and checks for failures of fwnode_graph_get_port_parent() itself. Users should update to a kernel version containing these commits. No workaround is available other than applying the patch.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
82342942331e14bc5ffaf8ac4d8a8f75fce04caf058833b6f25afb3e03bf8ed1696f7f92ee8a1cd87bb9fd7b13edd4cb4Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- git.kernel.org/stable/c/2342942331e1f034ff58f293e10d0d9b7581601fnvd
- git.kernel.org/stable/c/25afb3e03bf8ab02567af4b6ffbfd6250a91a9f8nvd
- git.kernel.org/stable/c/4bc5ffaf8ac4f3e7a1fcd10a0a0e7b022b694877nvd
- git.kernel.org/stable/c/caf058833b6f3fe7beabf738110f79bb987c8fffnvd
- git.kernel.org/stable/c/d7b13edd4cb4bfa335b6008ab867ac28582d3e5cnvd
- git.kernel.org/stable/c/d8a8f75fce049bdb3144b607deefe51e996b9660nvd
- git.kernel.org/stable/c/e8a1cd87bb9fa3149ee112ecb8058908dc9b520envd
- git.kernel.org/stable/c/ed1696f7f92e8404940d51dec80a123aa18163a8nvd
News mentions
0No linked articles in our index yet.