CVE-2023-52617: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: PCI: switchtec: Fix stdev_release() crash after surprise hot remove A PCI device hot removal may occur while stdev->cdev is held open. The call to stdev_release() then happens during close or exit, at a point way past switchtec_pci_remove(). Otherwise the last ref would vanish with the trailing put_device(), just before return. At that later point in time, the devm cleanup has already removed the stdev->mmio_mrpc mapping. Also, the stdev->pdev reference was not a counted one. Therefore, in DMA mode, the iowrite32() in stdev_release() will cause a fatal page fault, and the subsequent dma_free_coherent(), if reached, would pass a stale &stdev->pdev->dev pointer. Fix by moving MRPC DMA shutdown into switchtec_pci_remove(), after stdev_kill(). Counting the stdev->pdev ref is now optional, but may prevent future accidents. Reproducible via the script at https://lore.kernel.org/r/20231113212150.96410-1-dns@arista.com
AI Analysis
Technical Summary
CVE-2023-52617 is a vulnerability identified in the Linux kernel specifically affecting the PCI switchtec driver, which manages certain PCI devices. The issue arises during a surprise hot removal of a PCI device while the device's character device (stdev->cdev) is still open. Normally, the device removal process involves the switchtec_pci_remove() function, which should clean up resources properly. However, if the device is removed unexpectedly, the stdev_release() function is called later during the close or exit phase, at a time when the device's memory-mapped I/O (MMIO) region (stdev->mmio_mrpc) has already been unmapped and the device reference (stdev->pdev) is no longer valid or properly counted. This leads to a use-after-free condition where the stdev_release() function attempts to perform an iowrite32() operation on a stale pointer, causing a fatal page fault. Additionally, if dma_free_coherent() is called afterward, it may operate on an invalid device pointer, potentially leading to further memory corruption or system instability. The fix implemented moves the MRPC DMA shutdown process into the switchtec_pci_remove() function, ensuring proper cleanup before the device is fully removed. The patch also optionally adds reference counting to the device pointer to prevent similar issues in the future. This vulnerability can cause a denial of service (DoS) by crashing the kernel due to the page fault triggered by the invalid memory access. The vulnerability requires local access with high privileges (PR:H) and does not require user interaction (UI:N). The attack vector is local (AV:L), meaning an attacker must have local access to the system and the ability to trigger device removal events. The CVSS score is 4.4, indicating a medium severity level, primarily due to the impact on availability without affecting confidentiality or integrity. No known exploits are currently reported in the wild, but the vulnerability is reproducible with a provided script, indicating potential for exploitation in targeted environments.
Potential Impact
For European organizations, the primary impact of CVE-2023-52617 is the risk of system instability or denial of service on Linux systems utilizing the switchtec PCI driver, which is commonly found in environments using specific PCI devices such as those from Microsemi/Microchip. Organizations relying on Linux servers, especially those in data centers, cloud infrastructure, or high-performance computing environments that may use these devices, could experience unexpected kernel crashes leading to downtime. This could disrupt critical services, affecting business continuity and operational efficiency. While the vulnerability does not directly compromise data confidentiality or integrity, the availability impact can be significant, especially for sectors requiring high uptime such as finance, telecommunications, healthcare, and government services. Additionally, the requirement for local privileged access limits the attack surface but does not eliminate risk from insider threats or compromised internal systems. Given the widespread use of Linux in European IT infrastructure, organizations must assess their exposure based on hardware inventory and usage of switchtec PCI devices.
Mitigation Recommendations
European organizations should take the following specific mitigation steps: 1) Identify and inventory all Linux systems running kernels with the vulnerable switchtec PCI driver, focusing on those using affected PCI devices. 2) Apply the official Linux kernel patches that address CVE-2023-52617 as soon as they are available from trusted sources or Linux distributions. 3) If immediate patching is not possible, implement strict access controls to limit local privileged access to trusted personnel only, reducing the risk of exploitation. 4) Monitor system logs and kernel messages for signs of unexpected PCI device removals or kernel crashes related to the switchtec driver. 5) Consider disabling or unloading the switchtec PCI driver on non-critical systems where the hardware is not in use to reduce exposure. 6) Incorporate this vulnerability into vulnerability management and incident response plans to ensure rapid detection and remediation. 7) Engage with hardware vendors to confirm device firmware and driver compatibility with patched kernels. These targeted actions go beyond generic advice by focusing on hardware-specific risk and operational controls.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2023-52617: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: PCI: switchtec: Fix stdev_release() crash after surprise hot remove A PCI device hot removal may occur while stdev->cdev is held open. The call to stdev_release() then happens during close or exit, at a point way past switchtec_pci_remove(). Otherwise the last ref would vanish with the trailing put_device(), just before return. At that later point in time, the devm cleanup has already removed the stdev->mmio_mrpc mapping. Also, the stdev->pdev reference was not a counted one. Therefore, in DMA mode, the iowrite32() in stdev_release() will cause a fatal page fault, and the subsequent dma_free_coherent(), if reached, would pass a stale &stdev->pdev->dev pointer. Fix by moving MRPC DMA shutdown into switchtec_pci_remove(), after stdev_kill(). Counting the stdev->pdev ref is now optional, but may prevent future accidents. Reproducible via the script at https://lore.kernel.org/r/20231113212150.96410-1-dns@arista.com
AI-Powered Analysis
Technical Analysis
CVE-2023-52617 is a vulnerability identified in the Linux kernel specifically affecting the PCI switchtec driver, which manages certain PCI devices. The issue arises during a surprise hot removal of a PCI device while the device's character device (stdev->cdev) is still open. Normally, the device removal process involves the switchtec_pci_remove() function, which should clean up resources properly. However, if the device is removed unexpectedly, the stdev_release() function is called later during the close or exit phase, at a time when the device's memory-mapped I/O (MMIO) region (stdev->mmio_mrpc) has already been unmapped and the device reference (stdev->pdev) is no longer valid or properly counted. This leads to a use-after-free condition where the stdev_release() function attempts to perform an iowrite32() operation on a stale pointer, causing a fatal page fault. Additionally, if dma_free_coherent() is called afterward, it may operate on an invalid device pointer, potentially leading to further memory corruption or system instability. The fix implemented moves the MRPC DMA shutdown process into the switchtec_pci_remove() function, ensuring proper cleanup before the device is fully removed. The patch also optionally adds reference counting to the device pointer to prevent similar issues in the future. This vulnerability can cause a denial of service (DoS) by crashing the kernel due to the page fault triggered by the invalid memory access. The vulnerability requires local access with high privileges (PR:H) and does not require user interaction (UI:N). The attack vector is local (AV:L), meaning an attacker must have local access to the system and the ability to trigger device removal events. The CVSS score is 4.4, indicating a medium severity level, primarily due to the impact on availability without affecting confidentiality or integrity. No known exploits are currently reported in the wild, but the vulnerability is reproducible with a provided script, indicating potential for exploitation in targeted environments.
Potential Impact
For European organizations, the primary impact of CVE-2023-52617 is the risk of system instability or denial of service on Linux systems utilizing the switchtec PCI driver, which is commonly found in environments using specific PCI devices such as those from Microsemi/Microchip. Organizations relying on Linux servers, especially those in data centers, cloud infrastructure, or high-performance computing environments that may use these devices, could experience unexpected kernel crashes leading to downtime. This could disrupt critical services, affecting business continuity and operational efficiency. While the vulnerability does not directly compromise data confidentiality or integrity, the availability impact can be significant, especially for sectors requiring high uptime such as finance, telecommunications, healthcare, and government services. Additionally, the requirement for local privileged access limits the attack surface but does not eliminate risk from insider threats or compromised internal systems. Given the widespread use of Linux in European IT infrastructure, organizations must assess their exposure based on hardware inventory and usage of switchtec PCI devices.
Mitigation Recommendations
European organizations should take the following specific mitigation steps: 1) Identify and inventory all Linux systems running kernels with the vulnerable switchtec PCI driver, focusing on those using affected PCI devices. 2) Apply the official Linux kernel patches that address CVE-2023-52617 as soon as they are available from trusted sources or Linux distributions. 3) If immediate patching is not possible, implement strict access controls to limit local privileged access to trusted personnel only, reducing the risk of exploitation. 4) Monitor system logs and kernel messages for signs of unexpected PCI device removals or kernel crashes related to the switchtec driver. 5) Consider disabling or unloading the switchtec PCI driver on non-critical systems where the hardware is not in use to reduce exposure. 6) Incorporate this vulnerability into vulnerability management and incident response plans to ensure rapid detection and remediation. 7) Engage with hardware vendors to confirm device firmware and driver compatibility with patched kernels. These targeted actions go beyond generic advice by focusing on hardware-specific risk and operational controls.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-03-06T09:52:12.089Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9831c4522896dcbe7e19
Added to database: 5/21/2025, 9:09:05 AM
Last enriched: 7/1/2025, 11:10:05 AM
Last updated: 8/17/2025, 2:08:23 AM
Views: 12
Related Threats
CVE-2025-55581: n/a
UnknownCVE-2025-52085: n/a
UnknownCVE-2025-43760: CWE-79: Cross-site Scripting in Liferay Portal
MediumCVE-2025-55613: n/a
HighCVE-2025-57800: CWE-523: Unprotected Transport of Credentials in advplyr audiobookshelf
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.