VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 30, 2025· Updated Apr 15, 2026

CVE-2023-54204

CVE-2023-54204

Description

In the Linux kernel, the following vulnerability has been resolved:

mmc: sunplus: fix return value check of mmc_add_host()

mmc_add_host() may return error, if we ignore its return value, 1. the memory allocated in mmc_alloc_host() will be leaked 2. null-ptr-deref will happen when calling mmc_remove_host() in remove function spmmc_drv_remove() because deleting not added device.

Fix this by checking the return value of mmc_add_host(). Moreover, I fixed the error handling path of spmmc_drv_probe() to clean up.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A missing return value check of mmc_add_host() in the Sunplus MMC driver can cause memory leaks and a null-ptr-deref on removal.

Vulnerability

Analysis

The Sunplus MMC (SPMMC) driver) in the Linux kernel fails to check the return value of mmc_add_host(). If this function fails, the error is ignored, leading to two issues: the memory allocated by mmc_alloc_host() is leaked, and a null-ptr-dereference occurs when mmc_remove_host() is called in the remove function spmmc_drv_remove() because the device was never added [1].

Exploitation

An attacker would need to trigger a failure in mmc_add_host(), which could happen due to resource constraints or device errors. No special privileges are required beyond the ability to probe the MMC device. The attack surface is local, requiring physical or logical access to the MMC subsystem.

Impact

Successful exploitation leads to a kernel memory leak and a null-ptr-dereference, causing a system crash (likely) denial of service (system crash). The vulnerability does not allow privilege escalation or data corruption beyond the immediate crash.

Mitigation

The fix is included in Linux kernel stable updates. Users should apply the latest kernel patches from their distribution's kernel patches. No workaround is available; the driver must be updated.

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

2
741a951f4192
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
dce6d8f985fa
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.