CVE-2023-52478

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description The Linux kernel has a vulnerability in the HID: logitech-hidpp module, which can cause a kernel crash when a receiver is disconnected via USB. The issue arises from four time-of-check vs time-of-use (TOCTOU) races in the hidpp connect event() function, which can lead to a use-after-free scenario. This occurs when two threads take turns executing the probe battery() function, resulting in the registration of two power supplies for the same battery. When the last registered power supply class device is unregistered, the memory from the last devm kmemdup() call is freed, causing hidpp->battery.desc.properties to point to freed memory. This leads to backtraces when power supply uevent() is invoked to fill the uevent data.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.