CVE-2023-53054: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: usb: dwc2: fix a devres leak in hw_enable upon suspend resume Each time the platform goes to low power, PM suspend / resume routines call: __dwc2_lowlevel_hw_enable -> devm_add_action_or_reset(). This adds a new devres each time. This may also happen at runtime, as dwc2_lowlevel_hw_enable() can be called from udc_start(). This can be seen with tracing: - echo 1 > /sys/kernel/debug/tracing/events/dev/devres_log/enable - go to low power - cat /sys/kernel/debug/tracing/trace A new "ADD" entry is found upon each low power cycle: ... devres_log: 49000000.usb-otg ADD 82a13bba devm_action_release (8 bytes) ... devres_log: 49000000.usb-otg ADD 49889daf devm_action_release (8 bytes) ... A second issue is addressed here: - regulator_bulk_enable() is called upon each PM cycle (suspend/resume). - regulator_bulk_disable() never gets called. So the reference count for these regulators constantly increase, by one upon each low power cycle, due to missing regulator_bulk_disable() call in __dwc2_lowlevel_hw_disable(). The original fix that introduced the devm_add_action_or_reset() call, fixed an issue during probe, that happens due to other errors in dwc2_driver_probe() -> dwc2_core_reset(). Then the probe fails without disabling regulators, when dr_mode == USB_DR_MODE_PERIPHERAL. Rather fix the error path: disable all the low level hardware in the error path, by using the "hsotg->ll_hw_enabled" flag. Checking dr_mode has been introduced to avoid a dual call to dwc2_lowlevel_hw_disable(). "ll_hw_enabled" should achieve the same (and is used currently in the remove() routine).
AI Analysis
Technical Summary
CVE-2023-53054 is a vulnerability identified in the Linux kernel's USB driver subsystem, specifically within the DesignWare Core USB 2.0 (dwc2) controller driver. The issue arises from improper resource management during power management (PM) suspend and resume cycles. The vulnerability manifests as a resource leak in the devres (device resource) framework due to repeated calls to devm_add_action_or_reset() in the function __dwc2_lowlevel_hw_enable() without corresponding cleanup. Each time the system enters low power mode and resumes, a new devres entry is added but never released, leading to a devres leak. This leak can also occur at runtime when dwc2lowlevel_hw_enable() is invoked from udc_start(). Additionally, a related problem involves regulator reference counting. The function regulator_bulk_enable() is called on each PM cycle, but regulator_bulk_disable() is never called, causing the reference count for regulators to increase indefinitely with each suspend/resume cycle. This can lead to resource exhaustion or instability in power regulator management. The root cause stems from an incomplete fix that introduced devm_add_action_or_reset() to address probe-time errors in dwc2_driver_probe() and dwc2_core_reset(), particularly when the device is in peripheral mode (USB_DR_MODE_PERIPHERAL). The fix did not properly handle the error path by disabling all low-level hardware components, resulting in the leaks. The proposed resolution involves using a flag (hsotg->ll_hw_enabled) to track hardware enablement state and ensure proper disablement during error handling and removal routines, preventing dual calls and resource leaks. This vulnerability affects multiple versions of the Linux kernel, as indicated by the affected commit hashes, and is relevant to systems using the dwc2 USB controller driver, commonly found in embedded devices, ARM-based platforms, and certain mobile or IoT devices running Linux. Although no known exploits are reported in the wild, the issue can degrade system stability and reliability over time due to resource leaks during power state transitions.
Potential Impact
For European organizations, the impact of CVE-2023-53054 primarily concerns devices and systems running Linux kernels with the dwc2 USB controller driver, especially embedded systems, industrial control systems, IoT devices, and ARM-based platforms prevalent in sectors such as manufacturing, telecommunications, automotive, and critical infrastructure. The resource leaks can lead to gradual degradation of device performance, increased power consumption, and potential system crashes or failures after repeated suspend/resume cycles. This can disrupt business operations, cause downtime, and increase maintenance costs. While the vulnerability does not directly enable remote code execution or privilege escalation, the stability issues may be exploited as part of a broader attack chain or cause denial of service conditions. Systems with stringent uptime requirements or those deployed in critical environments (e.g., healthcare, transportation) may be particularly vulnerable to operational disruptions. Furthermore, the lack of regulator reference count decrementing could impact power management, potentially causing hardware components to remain powered unnecessarily, affecting energy efficiency and device longevity. Given the widespread use of Linux in European embedded and industrial environments, organizations relying on affected devices should assess their exposure and prioritize patching or mitigation to maintain system reliability and security compliance.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2023-53054 as soon as they become available. Monitor Linux kernel mailing lists and vendor advisories for updated stable releases incorporating the fix. 2. For organizations managing embedded or ARM-based Linux devices, coordinate with hardware vendors or system integrators to obtain updated firmware or kernel versions that include the fix. 3. Implement monitoring of system logs and kernel tracing facilities (e.g., /sys/kernel/debug/tracing) to detect abnormal devres additions or regulator reference count anomalies indicative of the leak. 4. Where patching is delayed, consider implementing controlled reboot schedules for affected devices to mitigate resource exhaustion from leaks. 5. Review power management configurations to ensure suspend/resume cycles are minimized or managed carefully, reducing the frequency of triggering the vulnerability. 6. Conduct thorough testing of updated kernels in staging environments to confirm that the fix does not introduce regressions, especially in power management and USB functionality. 7. For critical infrastructure, incorporate this vulnerability into risk assessments and incident response plans, ensuring readiness to address potential stability issues. 8. Engage with Linux distribution maintainers and embedded system suppliers to prioritize backporting fixes for long-term support (LTS) kernel versions used in production.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2023-53054: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: usb: dwc2: fix a devres leak in hw_enable upon suspend resume Each time the platform goes to low power, PM suspend / resume routines call: __dwc2_lowlevel_hw_enable -> devm_add_action_or_reset(). This adds a new devres each time. This may also happen at runtime, as dwc2_lowlevel_hw_enable() can be called from udc_start(). This can be seen with tracing: - echo 1 > /sys/kernel/debug/tracing/events/dev/devres_log/enable - go to low power - cat /sys/kernel/debug/tracing/trace A new "ADD" entry is found upon each low power cycle: ... devres_log: 49000000.usb-otg ADD 82a13bba devm_action_release (8 bytes) ... devres_log: 49000000.usb-otg ADD 49889daf devm_action_release (8 bytes) ... A second issue is addressed here: - regulator_bulk_enable() is called upon each PM cycle (suspend/resume). - regulator_bulk_disable() never gets called. So the reference count for these regulators constantly increase, by one upon each low power cycle, due to missing regulator_bulk_disable() call in __dwc2_lowlevel_hw_disable(). The original fix that introduced the devm_add_action_or_reset() call, fixed an issue during probe, that happens due to other errors in dwc2_driver_probe() -> dwc2_core_reset(). Then the probe fails without disabling regulators, when dr_mode == USB_DR_MODE_PERIPHERAL. Rather fix the error path: disable all the low level hardware in the error path, by using the "hsotg->ll_hw_enabled" flag. Checking dr_mode has been introduced to avoid a dual call to dwc2_lowlevel_hw_disable(). "ll_hw_enabled" should achieve the same (and is used currently in the remove() routine).
AI-Powered Analysis
Technical Analysis
CVE-2023-53054 is a vulnerability identified in the Linux kernel's USB driver subsystem, specifically within the DesignWare Core USB 2.0 (dwc2) controller driver. The issue arises from improper resource management during power management (PM) suspend and resume cycles. The vulnerability manifests as a resource leak in the devres (device resource) framework due to repeated calls to devm_add_action_or_reset() in the function __dwc2_lowlevel_hw_enable() without corresponding cleanup. Each time the system enters low power mode and resumes, a new devres entry is added but never released, leading to a devres leak. This leak can also occur at runtime when dwc2lowlevel_hw_enable() is invoked from udc_start(). Additionally, a related problem involves regulator reference counting. The function regulator_bulk_enable() is called on each PM cycle, but regulator_bulk_disable() is never called, causing the reference count for regulators to increase indefinitely with each suspend/resume cycle. This can lead to resource exhaustion or instability in power regulator management. The root cause stems from an incomplete fix that introduced devm_add_action_or_reset() to address probe-time errors in dwc2_driver_probe() and dwc2_core_reset(), particularly when the device is in peripheral mode (USB_DR_MODE_PERIPHERAL). The fix did not properly handle the error path by disabling all low-level hardware components, resulting in the leaks. The proposed resolution involves using a flag (hsotg->ll_hw_enabled) to track hardware enablement state and ensure proper disablement during error handling and removal routines, preventing dual calls and resource leaks. This vulnerability affects multiple versions of the Linux kernel, as indicated by the affected commit hashes, and is relevant to systems using the dwc2 USB controller driver, commonly found in embedded devices, ARM-based platforms, and certain mobile or IoT devices running Linux. Although no known exploits are reported in the wild, the issue can degrade system stability and reliability over time due to resource leaks during power state transitions.
Potential Impact
For European organizations, the impact of CVE-2023-53054 primarily concerns devices and systems running Linux kernels with the dwc2 USB controller driver, especially embedded systems, industrial control systems, IoT devices, and ARM-based platforms prevalent in sectors such as manufacturing, telecommunications, automotive, and critical infrastructure. The resource leaks can lead to gradual degradation of device performance, increased power consumption, and potential system crashes or failures after repeated suspend/resume cycles. This can disrupt business operations, cause downtime, and increase maintenance costs. While the vulnerability does not directly enable remote code execution or privilege escalation, the stability issues may be exploited as part of a broader attack chain or cause denial of service conditions. Systems with stringent uptime requirements or those deployed in critical environments (e.g., healthcare, transportation) may be particularly vulnerable to operational disruptions. Furthermore, the lack of regulator reference count decrementing could impact power management, potentially causing hardware components to remain powered unnecessarily, affecting energy efficiency and device longevity. Given the widespread use of Linux in European embedded and industrial environments, organizations relying on affected devices should assess their exposure and prioritize patching or mitigation to maintain system reliability and security compliance.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2023-53054 as soon as they become available. Monitor Linux kernel mailing lists and vendor advisories for updated stable releases incorporating the fix. 2. For organizations managing embedded or ARM-based Linux devices, coordinate with hardware vendors or system integrators to obtain updated firmware or kernel versions that include the fix. 3. Implement monitoring of system logs and kernel tracing facilities (e.g., /sys/kernel/debug/tracing) to detect abnormal devres additions or regulator reference count anomalies indicative of the leak. 4. Where patching is delayed, consider implementing controlled reboot schedules for affected devices to mitigate resource exhaustion from leaks. 5. Review power management configurations to ensure suspend/resume cycles are minimized or managed carefully, reducing the frequency of triggering the vulnerability. 6. Conduct thorough testing of updated kernels in staging environments to confirm that the fix does not introduce regressions, especially in power management and USB functionality. 7. For critical infrastructure, incorporate this vulnerability into risk assessments and incident response plans, ensuring readiness to address potential stability issues. 8. Engage with Linux distribution maintainers and embedded system suppliers to prioritize backporting fixes for long-term support (LTS) kernel versions used in production.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-05-02T15:51:43.546Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9821c4522896dcbdd94c
Added to database: 5/21/2025, 9:08:49 AM
Last enriched: 6/28/2025, 1:56:37 AM
Last updated: 8/14/2025, 10:21:46 PM
Views: 10
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.