CVE-2023-53138

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 5.19.0-rc3

Description A use-after-free issue has been identified in the Linux kernel, specifically in the cfusbl device notify() function. This issue occurs when unregistering a net device, which can lead to a stack trace and potentially cause problems. The problem arises when cfusbl device notify() is called multiple times with NETDEV UNREGISTER, causing the parent device to be freed and resulting in a use-after-free error. This also causes an imbalance in the reference count for the module.

Recommendations For Linux kernel versions prior to 5.19.0-rc3, consider applying the patch that fixes the issue by accepting only the first NETDEV UNREGISTER notification. As a temporary workaround, consider restricting the use of the cfusbl device notify() function until a patch is available.