CVE-2023-54252

Vulnerability

Overview

CVE-2023-54252 is a memory leak vulnerability in the Linux kernel's think-lmi driver, specifically in the code that parses WMI (Windows Management Instrumentation) strings for ThinkStation systems. The issue was introduced by a previous commit that allocated memory via tlmi_setting but failed to free it, resulting in a memory leak. The fix renames the variable to avoid confusion with a similarly named variable in the same function and ensures proper deallocation [1][2].

Exploitation

This vulnerability is local in nature, requiring an attacker to have the ability to trigger the parsing of WMI strings on a system using the think-lmi driver. No special privileges beyond local access are needed, as the driver is part of the kernel and can be triggered by normal system operations or by an attacker with local user access. The attack surface is limited to systems with Lenovo ThinkStation hardware that utilize the think-lmi driver.

Impact

An attacker who can repeatedly trigger the vulnerable code path can cause a gradual memory leak, potentially leading to system instability or denial of service (DoS) due to memory exhaustion. The impact is primarily availability, as the leak does not directly allow privilege escalation or data corruption.

Mitigation

The vulnerability is fixed in the Linux kernel by commits that properly free the allocated memory. Users should apply the latest kernel updates from their distribution. No workaround is available other than updating the kernel.