CVE-2023-52629 is a high-severity use-after-free vulnerability in the Linux kernel related to improper ordering of cleanup operations in the push-switch driver. The vulnerability arises from a race condition between two CPUs where the driver attempts to stop and clean up worker threads and timers during device removal. Specifically, the original code calls flush_work() before timer_shutdown_sync() in the switch_drv_remove() function. flush_work() is intended to stop the worker thread, but due to the timer still being active, the worker can be rescheduled by switch_timer(), leading to a use-after-free scenario when the memory for the push-switch structure (psw) is freed with kfree(psw). This results in the worker thread accessing freed memory, causing undefined behavior that can compromise system stability and security. The patch corrects this by calling timer_shutdown_sync() before flush_work(), ensuring the timer is fully stopped before the worker is flushed and memory is freed, thus preventing the use-after-free condition. The vulnerability is classified under CWE-416 (Use After Free) and has a CVSS v3.1 score of 8.4, indicating high impact on confidentiality, integrity, and availability. Exploitation requires local access (AV:L), no privileges (PR:N), and no user interaction (UI:N), making it a significant threat in environments where untrusted local code execution is possible. Although no known exploits are currently reported in the wild, the vulnerability's nature and severity warrant prompt attention and patching.

For European organizations, this vulnerability poses a serious risk, especially in environments running Linux kernels with the affected driver code, such as servers, embedded systems, and network devices. Successful exploitation could allow attackers to execute arbitrary code with kernel privileges, leading to full system compromise, data breaches, or denial of service. This is particularly critical for sectors relying heavily on Linux infrastructure, including finance, telecommunications, healthcare, and government agencies. The use-after-free flaw can be leveraged to bypass security controls, escalate privileges, or disrupt critical services. Given the high CVSS score and the kernel-level impact, organizations face risks to confidentiality (data exposure), integrity (unauthorized modification), and availability (system crashes or reboots). The local attack vector means that insider threats or compromised user accounts could exploit this vulnerability to gain elevated access, increasing the threat surface in multi-user or shared environments common in enterprise and cloud deployments across Europe.

European organizations should immediately verify if their Linux kernel versions include the vulnerable code and apply the official patches that reorder the cleanup operations in switch_drv_remove(), specifically ensuring timer_shutdown_sync() is called before flush_work(). Beyond patching, organizations should audit and restrict local access permissions to minimize the risk of untrusted code execution. Employing kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR), Control Flow Integrity (CFI), and enabling security modules like SELinux or AppArmor can reduce exploitation likelihood. Regularly monitoring system logs for unusual worker or timer activity and using intrusion detection systems tailored for kernel anomalies can help detect exploitation attempts. For embedded or specialized Linux devices, coordinate with vendors to ensure firmware updates include this fix. Finally, incorporate this vulnerability into vulnerability management and incident response plans to ensure rapid remediation and containment if exploitation is suspected.