CVE-2023-53045 is a vulnerability identified in the Linux kernel's USB gadget audio driver, specifically affecting the f_uac1 and f_uac2 functions within the USB Audio Class 1 and 2 gadget implementations. The issue arises in the unbind callback routine, where the function snd_card_free() is called via g_audio_cleanup() to disconnect the sound card and wait for all associated resources to be released. However, if userspace keeps the reference count incremented by not closing the relevant file descriptor, the unbind operation blocks indefinitely, causing a deadlock. This deadlock can manifest during system reboot, preventing the system from restarting properly. The problem can be reproduced by opening the audio card device (e.g., using arecord) and then stopping the process without closing the file descriptor before attempting to unbind the gadget driver. The unbind command hangs because snd_card_free() waits for the reference count to drop to zero, which does not happen until userspace closes the file descriptor. The fix involves replacing snd_card_free() with snd_card_free_when_closed(), which defers resource freeing until userspace closes the file descriptor, thus preventing the unbind callback from blocking. This vulnerability affects Linux kernel versions identified by the commit hash 132fcb460839a876f5bc8b71bede60f8d0875757 and likely other versions containing the same code pattern. No known exploits are reported in the wild, and no CVSS score has been assigned yet.

For European organizations relying on Linux-based systems, especially those using USB gadget audio functionalities (such as embedded devices, IoT gateways, or specialized audio hardware running Linux), this vulnerability can cause system instability and denial of service through deadlocks during device unbinding or system reboot. The deadlock prevents proper shutdown or restart, potentially leading to prolonged downtime or requiring manual intervention to recover the system. This can impact critical infrastructure or services that depend on high availability. While the vulnerability does not directly lead to privilege escalation or data breach, the denial of service effect can disrupt operations, especially in environments where automated reboots or device reconfiguration are common. Systems running Linux kernels with the affected USB audio gadget drivers are at risk, including servers, industrial control systems, and network appliances deployed across Europe. The issue is particularly relevant in environments where userspace applications interact with USB audio gadgets and may leave file descriptors open during driver unbind operations.

1. Apply the official Linux kernel patch that replaces snd_card_free() with snd_card_free_when_closed() in the USB audio gadget driver to ensure proper resource cleanup without blocking. 2. Update Linux kernel versions to those including the fix for CVE-2023-53045 as soon as patches become available from distributors or upstream sources. 3. In the interim, avoid stopping userspace processes interacting with USB audio gadgets abruptly; ensure that file descriptors are properly closed before unbinding the gadget driver or rebooting. 4. Implement monitoring to detect hung unbind operations or reboot failures related to USB audio gadget usage. 5. For embedded or specialized devices, consider disabling USB audio gadget functionality if not required to reduce attack surface. 6. Coordinate with hardware and software vendors to confirm that their Linux kernel versions include the fix and to receive timely updates. 7. Incorporate this vulnerability into incident response and patch management workflows to prioritize remediation in affected environments.