CVE-2023-52635: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: PM / devfreq: Synchronize devfreq_monitor_[start/stop] There is a chance if a frequent switch of the governor done in a loop result in timer list corruption where timer cancel being done from two place one from cancel_delayed_work_sync() and followed by expire_timers() can be seen from the traces[1]. while true do echo "simple_ondemand" > /sys/class/devfreq/1d84000.ufshc/governor echo "performance" > /sys/class/devfreq/1d84000.ufshc/governor done It looks to be issue with devfreq driver where device_monitor_[start/stop] need to synchronized so that delayed work should get corrupted while it is either being queued or running or being cancelled. Let's use polling flag and devfreq lock to synchronize the queueing the timer instance twice and work data being corrupted. [1] ... .. <idle>-0 [003] 9436.209662: timer_cancel timer=0xffffff80444f0428 <idle>-0 [003] 9436.209664: timer_expire_entry timer=0xffffff80444f0428 now=0x10022da1c function=__typeid__ZTSFvP10timer_listE_global_addr baseclk=0x10022da1c <idle>-0 [003] 9436.209718: timer_expire_exit timer=0xffffff80444f0428 kworker/u16:6-14217 [003] 9436.209863: timer_start timer=0xffffff80444f0428 function=__typeid__ZTSFvP10timer_listE_global_addr expires=0x10022da2b now=0x10022da1c flags=182452227 vendor.xxxyyy.ha-1593 [004] 9436.209888: timer_cancel timer=0xffffff80444f0428 vendor.xxxyyy.ha-1593 [004] 9436.216390: timer_init timer=0xffffff80444f0428 vendor.xxxyyy.ha-1593 [004] 9436.216392: timer_start timer=0xffffff80444f0428 function=__typeid__ZTSFvP10timer_listE_global_addr expires=0x10022da2c now=0x10022da1d flags=186646532 vendor.xxxyyy.ha-1593 [005] 9436.220992: timer_cancel timer=0xffffff80444f0428 xxxyyyTraceManag-7795 [004] 9436.261641: timer_cancel timer=0xffffff80444f0428 [2] 9436.261653][ C4] Unable to handle kernel paging request at virtual address dead00000000012a [ 9436.261664][ C4] Mem abort info: [ 9436.261666][ C4] ESR = 0x96000044 [ 9436.261669][ C4] EC = 0x25: DABT (current EL), IL = 32 bits [ 9436.261671][ C4] SET = 0, FnV = 0 [ 9436.261673][ C4] EA = 0, S1PTW = 0 [ 9436.261675][ C4] Data abort info: [ 9436.261677][ C4] ISV = 0, ISS = 0x00000044 [ 9436.261680][ C4] CM = 0, WnR = 1 [ 9436.261682][ C4] [dead00000000012a] address between user and kernel address ranges [ 9436.261685][ C4] Internal error: Oops: 96000044 [#1] PREEMPT SMP [ 9436.261701][ C4] Skip md ftrace buffer dump for: 0x3a982d0 ... [ 9436.262138][ C4] CPU: 4 PID: 7795 Comm: TraceManag Tainted: G S W O 5.10.149-android12-9-o-g17f915d29d0c #1 [ 9436.262141][ C4] Hardware name: Qualcomm Technologies, Inc. (DT) [ 9436.262144][ C4] pstate: 22400085 (nzCv daIf +PAN -UAO +TCO BTYPE=--) [ 9436.262161][ C4] pc : expire_timers+0x9c/0x438 [ 9436.262164][ C4] lr : expire_timers+0x2a4/0x438 [ 9436.262168][ C4] sp : ffffffc010023dd0 [ 9436.262171][ C4] x29: ffffffc010023df0 x28: ffffffd0636fdc18 [ 9436.262178][ C4] x27: ffffffd063569dd0 x26: ffffffd063536008 [ 9436.262182][ C4] x25: 0000000000000001 x24: ffffff88f7c69280 [ 9436.262185][ C4] x23: 00000000000000e0 x22: dead000000000122 [ 9436.262188][ C4] x21: 000000010022da29 x20: ffffff8af72b4e80 [ 9436.262191][ C4] x19: ffffffc010023e50 x18: ffffffc010025038 [ 9436.262195][ C4] x17: 0000000000000240 x16: 0000000000000201 [ 9436.262199][ C4] x15: ffffffffffffffff x14: ffffff889f3c3100 [ 9436.262203][ C4] x13: ffffff889f3c3100 x12: 00000000049f56b8 [ 9436.262207][ C4] x11: 00000000049f56b8 x10: 00000000ffffffff [ 9436.262212][ C4] x9 : ffffffc010023e50 x8 : dead000000000122 [ 9436.262216][ C4] x7 : ffffffffffffffff x6 : ffffffc0100239d8 [ 9436.262220][ C4] x5 : 0000000000000000 x4 : 0000000000000101 [ 9436.262223][ C4] x3 : 0000000000000080 x2 : ffffff8 ---truncated---
AI Analysis
Technical Summary
CVE-2023-52635 is a vulnerability identified in the Linux kernel's devfreq subsystem, specifically related to the synchronization of devfreq_monitor_start and devfreq_monitor_stop functions. The devfreq driver manages dynamic frequency scaling for devices to optimize power consumption and performance. The vulnerability arises when there is a rapid, repeated switching of the frequency governor in a loop, which can lead to corruption of the timer list. This occurs because timer cancellation is invoked concurrently from two different contexts: cancel_delayed_work_sync() and expire_timers(). The lack of proper synchronization allows delayed work structures to become corrupted while they are being queued, running, or cancelled. This can cause kernel timer corruption and ultimately lead to kernel crashes or system instability, as evidenced by kernel oops and memory abort errors in the provided traces. The root cause is a race condition in the devfreq driver where the start and stop operations are not adequately synchronized, allowing multiple timer instances to be queued or cancelled simultaneously, leading to use-after-free or invalid memory access. The fix involves introducing a polling flag and a devfreq lock to ensure proper synchronization of timer queueing and cancellation, preventing corruption of the delayed work data structures. This vulnerability affects Linux kernel versions prior to the patch and is particularly relevant for systems using the devfreq driver, such as embedded devices and mobile platforms running Linux kernels with Qualcomm hardware. There are no known exploits in the wild at the time of publication, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2023-52635 depends largely on their use of Linux-based systems that utilize the devfreq driver, especially those running on Qualcomm hardware or similar embedded platforms. The vulnerability can cause kernel crashes and system instability, potentially leading to denial of service (DoS) conditions. This can disrupt critical services, particularly in sectors relying on embedded Linux devices such as telecommunications infrastructure, industrial control systems, automotive systems, and IoT deployments. In environments where uptime and reliability are critical, such as healthcare, manufacturing, and financial services, this vulnerability could lead to operational disruptions. Although there is no evidence of privilege escalation or remote code execution, the kernel panic and memory corruption could be leveraged by attackers with local access to cause service outages or to facilitate further attacks by destabilizing the system. The lack of requirement for user interaction suggests that automated or scripted attacks could trigger the vulnerability if local access is obtained. Given the widespread use of Linux in European IT infrastructure and embedded systems, the vulnerability poses a moderate risk, especially for organizations with embedded Linux devices or custom Linux kernels that have not yet applied the patch.
Mitigation Recommendations
European organizations should prioritize the following mitigation steps: 1) Identify and inventory all Linux systems, particularly embedded devices and servers running kernels with devfreq support, especially those on Qualcomm or similar hardware platforms. 2) Apply the official Linux kernel patches that address CVE-2023-52635 as soon as they become available from trusted sources or Linux distribution vendors. 3) For devices where kernel patching is not immediately feasible, implement operational controls to limit rapid governor switching or disable devfreq governor switching loops in software configurations to reduce the risk of triggering the vulnerability. 4) Monitor system logs and kernel traces for signs of timer corruption or kernel oops related to devfreq operations to detect potential exploitation attempts or instability. 5) Restrict local access to trusted users and enforce strict access controls to prevent unauthorized users from triggering the vulnerability. 6) Engage with hardware and software vendors to ensure timely updates and support for affected embedded devices. 7) Incorporate this vulnerability into vulnerability management and patching cycles, ensuring embedded and IoT devices are not overlooked. These steps go beyond generic advice by focusing on embedded device management, kernel patching, and operational controls specific to the devfreq subsystem.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2023-52635: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: PM / devfreq: Synchronize devfreq_monitor_[start/stop] There is a chance if a frequent switch of the governor done in a loop result in timer list corruption where timer cancel being done from two place one from cancel_delayed_work_sync() and followed by expire_timers() can be seen from the traces[1]. while true do echo "simple_ondemand" > /sys/class/devfreq/1d84000.ufshc/governor echo "performance" > /sys/class/devfreq/1d84000.ufshc/governor done It looks to be issue with devfreq driver where device_monitor_[start/stop] need to synchronized so that delayed work should get corrupted while it is either being queued or running or being cancelled. Let's use polling flag and devfreq lock to synchronize the queueing the timer instance twice and work data being corrupted. [1] ... .. <idle>-0 [003] 9436.209662: timer_cancel timer=0xffffff80444f0428 <idle>-0 [003] 9436.209664: timer_expire_entry timer=0xffffff80444f0428 now=0x10022da1c function=__typeid__ZTSFvP10timer_listE_global_addr baseclk=0x10022da1c <idle>-0 [003] 9436.209718: timer_expire_exit timer=0xffffff80444f0428 kworker/u16:6-14217 [003] 9436.209863: timer_start timer=0xffffff80444f0428 function=__typeid__ZTSFvP10timer_listE_global_addr expires=0x10022da2b now=0x10022da1c flags=182452227 vendor.xxxyyy.ha-1593 [004] 9436.209888: timer_cancel timer=0xffffff80444f0428 vendor.xxxyyy.ha-1593 [004] 9436.216390: timer_init timer=0xffffff80444f0428 vendor.xxxyyy.ha-1593 [004] 9436.216392: timer_start timer=0xffffff80444f0428 function=__typeid__ZTSFvP10timer_listE_global_addr expires=0x10022da2c now=0x10022da1d flags=186646532 vendor.xxxyyy.ha-1593 [005] 9436.220992: timer_cancel timer=0xffffff80444f0428 xxxyyyTraceManag-7795 [004] 9436.261641: timer_cancel timer=0xffffff80444f0428 [2] 9436.261653][ C4] Unable to handle kernel paging request at virtual address dead00000000012a [ 9436.261664][ C4] Mem abort info: [ 9436.261666][ C4] ESR = 0x96000044 [ 9436.261669][ C4] EC = 0x25: DABT (current EL), IL = 32 bits [ 9436.261671][ C4] SET = 0, FnV = 0 [ 9436.261673][ C4] EA = 0, S1PTW = 0 [ 9436.261675][ C4] Data abort info: [ 9436.261677][ C4] ISV = 0, ISS = 0x00000044 [ 9436.261680][ C4] CM = 0, WnR = 1 [ 9436.261682][ C4] [dead00000000012a] address between user and kernel address ranges [ 9436.261685][ C4] Internal error: Oops: 96000044 [#1] PREEMPT SMP [ 9436.261701][ C4] Skip md ftrace buffer dump for: 0x3a982d0 ... [ 9436.262138][ C4] CPU: 4 PID: 7795 Comm: TraceManag Tainted: G S W O 5.10.149-android12-9-o-g17f915d29d0c #1 [ 9436.262141][ C4] Hardware name: Qualcomm Technologies, Inc. (DT) [ 9436.262144][ C4] pstate: 22400085 (nzCv daIf +PAN -UAO +TCO BTYPE=--) [ 9436.262161][ C4] pc : expire_timers+0x9c/0x438 [ 9436.262164][ C4] lr : expire_timers+0x2a4/0x438 [ 9436.262168][ C4] sp : ffffffc010023dd0 [ 9436.262171][ C4] x29: ffffffc010023df0 x28: ffffffd0636fdc18 [ 9436.262178][ C4] x27: ffffffd063569dd0 x26: ffffffd063536008 [ 9436.262182][ C4] x25: 0000000000000001 x24: ffffff88f7c69280 [ 9436.262185][ C4] x23: 00000000000000e0 x22: dead000000000122 [ 9436.262188][ C4] x21: 000000010022da29 x20: ffffff8af72b4e80 [ 9436.262191][ C4] x19: ffffffc010023e50 x18: ffffffc010025038 [ 9436.262195][ C4] x17: 0000000000000240 x16: 0000000000000201 [ 9436.262199][ C4] x15: ffffffffffffffff x14: ffffff889f3c3100 [ 9436.262203][ C4] x13: ffffff889f3c3100 x12: 00000000049f56b8 [ 9436.262207][ C4] x11: 00000000049f56b8 x10: 00000000ffffffff [ 9436.262212][ C4] x9 : ffffffc010023e50 x8 : dead000000000122 [ 9436.262216][ C4] x7 : ffffffffffffffff x6 : ffffffc0100239d8 [ 9436.262220][ C4] x5 : 0000000000000000 x4 : 0000000000000101 [ 9436.262223][ C4] x3 : 0000000000000080 x2 : ffffff8 ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2023-52635 is a vulnerability identified in the Linux kernel's devfreq subsystem, specifically related to the synchronization of devfreq_monitor_start and devfreq_monitor_stop functions. The devfreq driver manages dynamic frequency scaling for devices to optimize power consumption and performance. The vulnerability arises when there is a rapid, repeated switching of the frequency governor in a loop, which can lead to corruption of the timer list. This occurs because timer cancellation is invoked concurrently from two different contexts: cancel_delayed_work_sync() and expire_timers(). The lack of proper synchronization allows delayed work structures to become corrupted while they are being queued, running, or cancelled. This can cause kernel timer corruption and ultimately lead to kernel crashes or system instability, as evidenced by kernel oops and memory abort errors in the provided traces. The root cause is a race condition in the devfreq driver where the start and stop operations are not adequately synchronized, allowing multiple timer instances to be queued or cancelled simultaneously, leading to use-after-free or invalid memory access. The fix involves introducing a polling flag and a devfreq lock to ensure proper synchronization of timer queueing and cancellation, preventing corruption of the delayed work data structures. This vulnerability affects Linux kernel versions prior to the patch and is particularly relevant for systems using the devfreq driver, such as embedded devices and mobile platforms running Linux kernels with Qualcomm hardware. There are no known exploits in the wild at the time of publication, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2023-52635 depends largely on their use of Linux-based systems that utilize the devfreq driver, especially those running on Qualcomm hardware or similar embedded platforms. The vulnerability can cause kernel crashes and system instability, potentially leading to denial of service (DoS) conditions. This can disrupt critical services, particularly in sectors relying on embedded Linux devices such as telecommunications infrastructure, industrial control systems, automotive systems, and IoT deployments. In environments where uptime and reliability are critical, such as healthcare, manufacturing, and financial services, this vulnerability could lead to operational disruptions. Although there is no evidence of privilege escalation or remote code execution, the kernel panic and memory corruption could be leveraged by attackers with local access to cause service outages or to facilitate further attacks by destabilizing the system. The lack of requirement for user interaction suggests that automated or scripted attacks could trigger the vulnerability if local access is obtained. Given the widespread use of Linux in European IT infrastructure and embedded systems, the vulnerability poses a moderate risk, especially for organizations with embedded Linux devices or custom Linux kernels that have not yet applied the patch.
Mitigation Recommendations
European organizations should prioritize the following mitigation steps: 1) Identify and inventory all Linux systems, particularly embedded devices and servers running kernels with devfreq support, especially those on Qualcomm or similar hardware platforms. 2) Apply the official Linux kernel patches that address CVE-2023-52635 as soon as they become available from trusted sources or Linux distribution vendors. 3) For devices where kernel patching is not immediately feasible, implement operational controls to limit rapid governor switching or disable devfreq governor switching loops in software configurations to reduce the risk of triggering the vulnerability. 4) Monitor system logs and kernel traces for signs of timer corruption or kernel oops related to devfreq operations to detect potential exploitation attempts or instability. 5) Restrict local access to trusted users and enforce strict access controls to prevent unauthorized users from triggering the vulnerability. 6) Engage with hardware and software vendors to ensure timely updates and support for affected embedded devices. 7) Incorporate this vulnerability into vulnerability management and patching cycles, ensuring embedded and IoT devices are not overlooked. These steps go beyond generic advice by focusing on embedded device management, kernel patching, and operational controls specific to the devfreq subsystem.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-03-06T09:52:12.092Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9830c4522896dcbe7164
Added to database: 5/21/2025, 9:09:04 AM
Last enriched: 7/1/2025, 5:09:38 AM
Last updated: 8/12/2025, 8:40:55 PM
Views: 19
Related Threats
CVE-2025-8919: Cross Site Scripting in Portabilis i-Diario
MediumCVE-2025-45317: n/a
UnknownCVE-2025-45315: n/a
UnknownCVE-2025-23298: CWE-94 Improper Control of Generation of Code ('Code Injection') in NVIDIA NVIDIA Merlin Transformers4Rec
HighCVE-2025-23296: CWE-94 Improper Control of Generation of Code ('Code Injection') in NVIDIA NVIDIA Isaac-GR00T N1
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.