CVE-2023-53023: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: nfc: Fix use-after-free in local_cleanup() Fix a use-after-free that occurs in kfree_skb() called from local_cleanup(). This could happen when killing nfc daemon (e.g. neard) after detaching an nfc device. When detaching an nfc device, local_cleanup() called from nfc_llcp_unregister_device() frees local->rx_pending and decreases local->ref by kref_put() in nfc_llcp_local_put(). In the terminating process, nfc daemon releases all sockets and it leads to decreasing local->ref. After the last release of local->ref, local_cleanup() called from local_release() frees local->rx_pending again, which leads to the bug. Setting local->rx_pending to NULL in local_cleanup() could prevent use-after-free when local_cleanup() is called twice. Found by a modified version of syzkaller. BUG: KASAN: use-after-free in kfree_skb() Call Trace: dump_stack_lvl (lib/dump_stack.c:106) print_address_description.constprop.0.cold (mm/kasan/report.c:306) kasan_check_range (mm/kasan/generic.c:189) kfree_skb (net/core/skbuff.c:955) local_cleanup (net/nfc/llcp_core.c:159) nfc_llcp_local_put.part.0 (net/nfc/llcp_core.c:172) nfc_llcp_local_put (net/nfc/llcp_core.c:181) llcp_sock_destruct (net/nfc/llcp_sock.c:959) __sk_destruct (net/core/sock.c:2133) sk_destruct (net/core/sock.c:2181) __sk_free (net/core/sock.c:2192) sk_free (net/core/sock.c:2203) llcp_sock_release (net/nfc/llcp_sock.c:646) __sock_release (net/socket.c:650) sock_close (net/socket.c:1365) __fput (fs/file_table.c:306) task_work_run (kernel/task_work.c:179) ptrace_notify (kernel/signal.c:2354) syscall_exit_to_user_mode_prepare (kernel/entry/common.c:278) syscall_exit_to_user_mode (kernel/entry/common.c:296) do_syscall_64 (arch/x86/entry/common.c:86) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:106) Allocated by task 4719: kasan_save_stack (mm/kasan/common.c:45) __kasan_slab_alloc (mm/kasan/common.c:325) slab_post_alloc_hook (mm/slab.h:766) kmem_cache_alloc_node (mm/slub.c:3497) __alloc_skb (net/core/skbuff.c:552) pn533_recv_response (drivers/nfc/pn533/usb.c:65) __usb_hcd_giveback_urb (drivers/usb/core/hcd.c:1671) usb_giveback_urb_bh (drivers/usb/core/hcd.c:1704) tasklet_action_common.isra.0 (kernel/softirq.c:797) __do_softirq (kernel/softirq.c:571) Freed by task 1901: kasan_save_stack (mm/kasan/common.c:45) kasan_set_track (mm/kasan/common.c:52) kasan_save_free_info (mm/kasan/genericdd.c:518) __kasan_slab_free (mm/kasan/common.c:236) kmem_cache_free (mm/slub.c:3809) kfree_skbmem (net/core/skbuff.c:874) kfree_skb (net/core/skbuff.c:931) local_cleanup (net/nfc/llcp_core.c:159) nfc_llcp_unregister_device (net/nfc/llcp_core.c:1617) nfc_unregister_device (net/nfc/core.c:1179) pn53x_unregister_nfc (drivers/nfc/pn533/pn533.c:2846) pn533_usb_disconnect (drivers/nfc/pn533/usb.c:579) usb_unbind_interface (drivers/usb/core/driver.c:458) device_release_driver_internal (drivers/base/dd.c:1279) bus_remove_device (drivers/base/bus.c:529) device_del (drivers/base/core.c:3665) usb_disable_device (drivers/usb/core/message.c:1420) usb_disconnect (drivers/usb/core.c:2261) hub_event (drivers/usb/core/hub.c:5833) process_one_work (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:212 include/trace/events/workqueue.h:108 kernel/workqueue.c:2281) worker_thread (include/linux/list.h:282 kernel/workqueue.c:2423) kthread (kernel/kthread.c:319) ret_from_fork (arch/x86/entry/entry_64.S:301)
AI Analysis
Technical Summary
CVE-2023-53023 is a high-severity use-after-free vulnerability in the Linux kernel's NFC (Near Field Communication) subsystem, specifically within the net/nfc/llcp_core.c component. The flaw arises during the cleanup process of NFC local connections when the NFC daemon (such as neard) is terminated after detaching an NFC device. The vulnerability is triggered because the function local_cleanup() is called twice on the same object, leading to a double free of the local->rx_pending buffer. This happens as local_cleanup() frees local->rx_pending and decrements the reference count local->ref via kref_put(). When the NFC daemon releases all sockets during termination, local->ref is decremented again, causing local_cleanup() to be invoked a second time and freeing local->rx_pending again, resulting in a use-after-free condition. This can lead to memory corruption, kernel crashes, or potentially arbitrary code execution within the kernel context. The bug was discovered using a modified syzkaller fuzzer and is confirmed by Kernel Address Sanitizer (KASAN) reports. The vulnerability affects Linux kernel versions identified by the commit hash 3536da06db0baa675f32de608c0a4c0f5ef0e9ff and likely other versions containing the same code. The CVSS v3.1 score is 7.8 (high), reflecting the local attack vector with low complexity, requiring privileges but no user interaction, and impacting confidentiality, integrity, and availability. Exploitation requires local access and privileges to interact with NFC devices and the NFC daemon. No known exploits are currently reported in the wild. The fix involves setting local->rx_pending to NULL after freeing it in local_cleanup() to prevent double freeing. This vulnerability falls under CWE-416 (Use After Free).
Potential Impact
For European organizations, the impact of CVE-2023-53023 depends on the deployment of Linux systems with NFC capabilities and the use of NFC daemons like neard. Organizations using Linux-based IoT devices, embedded systems, or servers that support NFC functionality could be at risk. Exploitation could allow a local attacker with privileges to cause denial of service through kernel crashes or potentially escalate privileges by executing arbitrary code in kernel space. This could compromise system confidentiality, integrity, and availability, affecting critical infrastructure, industrial control systems, or enterprise environments relying on Linux. Given the local attack vector, the threat is more significant in environments where untrusted users have shell or local access. The vulnerability could disrupt services, lead to data breaches, or facilitate lateral movement within networks. European sectors such as manufacturing, transportation, and public services that utilize NFC-enabled Linux devices may face operational risks. The absence of known exploits reduces immediate risk but patching is critical to prevent future exploitation.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2023-53023 as soon as they become available from trusted sources or Linux distribution vendors. 2. For organizations using NFC functionality, consider disabling NFC services or daemons (e.g., neard) on systems where NFC is not required to reduce the attack surface. 3. Restrict local access to trusted users only and enforce strict privilege separation to prevent unprivileged users from interacting with NFC devices or daemons. 4. Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) and other memory safety tools during development and testing phases to detect similar issues early. 5. Monitor system logs for unusual crashes or kernel messages related to NFC subsystems that could indicate exploitation attempts. 6. Maintain up-to-date inventories of Linux systems with NFC capabilities to prioritize patching and risk management. 7. Implement strict access controls and auditing on systems with NFC hardware to detect and prevent unauthorized local access.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Finland
CVE-2023-53023: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: nfc: Fix use-after-free in local_cleanup() Fix a use-after-free that occurs in kfree_skb() called from local_cleanup(). This could happen when killing nfc daemon (e.g. neard) after detaching an nfc device. When detaching an nfc device, local_cleanup() called from nfc_llcp_unregister_device() frees local->rx_pending and decreases local->ref by kref_put() in nfc_llcp_local_put(). In the terminating process, nfc daemon releases all sockets and it leads to decreasing local->ref. After the last release of local->ref, local_cleanup() called from local_release() frees local->rx_pending again, which leads to the bug. Setting local->rx_pending to NULL in local_cleanup() could prevent use-after-free when local_cleanup() is called twice. Found by a modified version of syzkaller. BUG: KASAN: use-after-free in kfree_skb() Call Trace: dump_stack_lvl (lib/dump_stack.c:106) print_address_description.constprop.0.cold (mm/kasan/report.c:306) kasan_check_range (mm/kasan/generic.c:189) kfree_skb (net/core/skbuff.c:955) local_cleanup (net/nfc/llcp_core.c:159) nfc_llcp_local_put.part.0 (net/nfc/llcp_core.c:172) nfc_llcp_local_put (net/nfc/llcp_core.c:181) llcp_sock_destruct (net/nfc/llcp_sock.c:959) __sk_destruct (net/core/sock.c:2133) sk_destruct (net/core/sock.c:2181) __sk_free (net/core/sock.c:2192) sk_free (net/core/sock.c:2203) llcp_sock_release (net/nfc/llcp_sock.c:646) __sock_release (net/socket.c:650) sock_close (net/socket.c:1365) __fput (fs/file_table.c:306) task_work_run (kernel/task_work.c:179) ptrace_notify (kernel/signal.c:2354) syscall_exit_to_user_mode_prepare (kernel/entry/common.c:278) syscall_exit_to_user_mode (kernel/entry/common.c:296) do_syscall_64 (arch/x86/entry/common.c:86) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:106) Allocated by task 4719: kasan_save_stack (mm/kasan/common.c:45) __kasan_slab_alloc (mm/kasan/common.c:325) slab_post_alloc_hook (mm/slab.h:766) kmem_cache_alloc_node (mm/slub.c:3497) __alloc_skb (net/core/skbuff.c:552) pn533_recv_response (drivers/nfc/pn533/usb.c:65) __usb_hcd_giveback_urb (drivers/usb/core/hcd.c:1671) usb_giveback_urb_bh (drivers/usb/core/hcd.c:1704) tasklet_action_common.isra.0 (kernel/softirq.c:797) __do_softirq (kernel/softirq.c:571) Freed by task 1901: kasan_save_stack (mm/kasan/common.c:45) kasan_set_track (mm/kasan/common.c:52) kasan_save_free_info (mm/kasan/genericdd.c:518) __kasan_slab_free (mm/kasan/common.c:236) kmem_cache_free (mm/slub.c:3809) kfree_skbmem (net/core/skbuff.c:874) kfree_skb (net/core/skbuff.c:931) local_cleanup (net/nfc/llcp_core.c:159) nfc_llcp_unregister_device (net/nfc/llcp_core.c:1617) nfc_unregister_device (net/nfc/core.c:1179) pn53x_unregister_nfc (drivers/nfc/pn533/pn533.c:2846) pn533_usb_disconnect (drivers/nfc/pn533/usb.c:579) usb_unbind_interface (drivers/usb/core/driver.c:458) device_release_driver_internal (drivers/base/dd.c:1279) bus_remove_device (drivers/base/bus.c:529) device_del (drivers/base/core.c:3665) usb_disable_device (drivers/usb/core/message.c:1420) usb_disconnect (drivers/usb/core.c:2261) hub_event (drivers/usb/core/hub.c:5833) process_one_work (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:212 include/trace/events/workqueue.h:108 kernel/workqueue.c:2281) worker_thread (include/linux/list.h:282 kernel/workqueue.c:2423) kthread (kernel/kthread.c:319) ret_from_fork (arch/x86/entry/entry_64.S:301)
AI-Powered Analysis
Technical Analysis
CVE-2023-53023 is a high-severity use-after-free vulnerability in the Linux kernel's NFC (Near Field Communication) subsystem, specifically within the net/nfc/llcp_core.c component. The flaw arises during the cleanup process of NFC local connections when the NFC daemon (such as neard) is terminated after detaching an NFC device. The vulnerability is triggered because the function local_cleanup() is called twice on the same object, leading to a double free of the local->rx_pending buffer. This happens as local_cleanup() frees local->rx_pending and decrements the reference count local->ref via kref_put(). When the NFC daemon releases all sockets during termination, local->ref is decremented again, causing local_cleanup() to be invoked a second time and freeing local->rx_pending again, resulting in a use-after-free condition. This can lead to memory corruption, kernel crashes, or potentially arbitrary code execution within the kernel context. The bug was discovered using a modified syzkaller fuzzer and is confirmed by Kernel Address Sanitizer (KASAN) reports. The vulnerability affects Linux kernel versions identified by the commit hash 3536da06db0baa675f32de608c0a4c0f5ef0e9ff and likely other versions containing the same code. The CVSS v3.1 score is 7.8 (high), reflecting the local attack vector with low complexity, requiring privileges but no user interaction, and impacting confidentiality, integrity, and availability. Exploitation requires local access and privileges to interact with NFC devices and the NFC daemon. No known exploits are currently reported in the wild. The fix involves setting local->rx_pending to NULL after freeing it in local_cleanup() to prevent double freeing. This vulnerability falls under CWE-416 (Use After Free).
Potential Impact
For European organizations, the impact of CVE-2023-53023 depends on the deployment of Linux systems with NFC capabilities and the use of NFC daemons like neard. Organizations using Linux-based IoT devices, embedded systems, or servers that support NFC functionality could be at risk. Exploitation could allow a local attacker with privileges to cause denial of service through kernel crashes or potentially escalate privileges by executing arbitrary code in kernel space. This could compromise system confidentiality, integrity, and availability, affecting critical infrastructure, industrial control systems, or enterprise environments relying on Linux. Given the local attack vector, the threat is more significant in environments where untrusted users have shell or local access. The vulnerability could disrupt services, lead to data breaches, or facilitate lateral movement within networks. European sectors such as manufacturing, transportation, and public services that utilize NFC-enabled Linux devices may face operational risks. The absence of known exploits reduces immediate risk but patching is critical to prevent future exploitation.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2023-53023 as soon as they become available from trusted sources or Linux distribution vendors. 2. For organizations using NFC functionality, consider disabling NFC services or daemons (e.g., neard) on systems where NFC is not required to reduce the attack surface. 3. Restrict local access to trusted users only and enforce strict privilege separation to prevent unprivileged users from interacting with NFC devices or daemons. 4. Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) and other memory safety tools during development and testing phases to detect similar issues early. 5. Monitor system logs for unusual crashes or kernel messages related to NFC subsystems that could indicate exploitation attempts. 6. Maintain up-to-date inventories of Linux systems with NFC capabilities to prioritize patching and risk management. 7. Implement strict access controls and auditing on systems with NFC hardware to detect and prevent unauthorized local access.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-03-27T16:40:15.753Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9830c4522896dcbe6d4e
Added to database: 5/21/2025, 9:09:04 AM
Last enriched: 7/3/2025, 3:55:58 AM
Last updated: 8/17/2025, 2:23:39 AM
Views: 16
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.