CVE-2023-52475

Input: powermate - fix use-after-free in powermate_config_complete

Severity Score

6.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: Input: powermate - fix use-after-free in powermate_config_complete syzbot has found a use-after-free bug [1] in the powermate driver. This
happens when the device is disconnected, which leads to a memory free from
the powermate_device struct. When an asynchronous control message
completes after the kfree and its callback is invoked, the lock does not
exist anymore and hence the bug. Use usb_kill_urb() on pm->config to cancel any in-progress requests upon
device disconnection. [1] https://syzkaller.appspot.com/bug?extid=0434ac83f907a1dbdd1e

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: Entrada: powermate - corrige el use-after-free en powermate_config_complete syzbot ha encontrado un error de use-after-free [1] en el controlador powermate. Esto sucede cuando el dispositivo está desconectado, lo que genera una memoria libre de la estructura powermate_device. Cuando se completa un mensaje de control asincrónico después de que se invoca kfree y su devolución de llamada, el bloqueo ya no existe y de ahí el error. Utilice usb_kill_urb() en pm->config para cancelar cualquier solicitud en curso al desconectar el dispositivo. [1] https://syzkaller.appspot.com/bug?extid=0434ac83f907a1dbdd1e

A use-after-free flaw was found in powermate_config_complete in drivers/input/misc/powermate.c in the Linux kernel. This issue may allow an attacker to crash the system at device disconnect, possibly leading to a kernel information leak problem.

In the Linux kernel, the following vulnerability has been resolved: Input: powermate - fix use-after-free in powermate_config_complete syzbot has found a use-after-free bug [1] in the powermate driver. This happens when the device is disconnected, which leads to a memory free from the powermate_device struct. When an asynchronous control message completes after the kfree and its callback is invoked, the lock does not exist anymore and hence the bug. Use usb_kill_urb() on pm->config to cancel any in-progress requests upon device disconnection. [1] https://syzkaller.appspot.com/bug?extid=0434ac83f907a1dbdd1e

*Credits: N/A

CVSS Scores

Attack Vector

Physical

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Physical

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

High

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-20 CVE Reserved
2024-02-29 CVE Published
2024-12-19 CVE Updated
2025-03-18 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-416: Use After Free

CAPEC

References (10)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/8677575c4f39d65bf0d719b5d20e8042e550ccb9	2023-10-25
https://git.kernel.org/stable/c/67cace72606baf1758fd60feb358f4c6be92e1cc	2023-10-25
https://git.kernel.org/stable/c/5aa514100aaf59868d745196258269a16737c7bd	2023-10-25
https://git.kernel.org/stable/c/cd2fbfd8b922b7fdd50732e47d797754ab59cb06	2023-10-25
https://git.kernel.org/stable/c/6a4a396386404e62fb59bc3bde48871a64a82b4f	2023-10-19
https://git.kernel.org/stable/c/2efe67c581a2a6122b328d4bb6f21b3f36f40d46	2023-10-19
https://git.kernel.org/stable/c/e528b1b9d60743e0b26224e3fe7aa74c24b8b2f8	2023-10-19
https://git.kernel.org/stable/c/5c15c60e7be615f05a45cd905093a54b11f461bc	2023-10-14

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2023-52475	2024-11-12
https://bugzilla.redhat.com/show_bug.cgi?id=2266916	2024-11-12

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 4.14.328 Search vendor "Linux" for product "Linux Kernel" and version " < 4.14.328"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 4.19.297 Search vendor "Linux" for product "Linux Kernel" and version " < 4.19.297"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.4.259 Search vendor "Linux" for product "Linux Kernel" and version " < 5.4.259"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.10.199 Search vendor "Linux" for product "Linux Kernel" and version " < 5.10.199"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.15.136 Search vendor "Linux" for product "Linux Kernel" and version " < 5.15.136"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.1.59 Search vendor "Linux" for product "Linux Kernel" and version " < 6.1.59"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.5.8 Search vendor "Linux" for product "Linux Kernel" and version " < 6.5.8"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.6 Search vendor "Linux" for product "Linux Kernel" and version " < 6.6"		en		Affected