CVE-2023-53106

EUVD-2025-13161

02.05.2025, 16:15

In the Linux kernel, the following vulnerability has been resolved:

nfc: st-nci: Fix use after free bug in ndlc_remove due to race condition

This bug influences both st_nci_i2c_remove and st_nci_spi_remove.
Take st_nci_i2c_remove as an example.

In st_nci_i2c_probe, it called ndlc_probe and bound &ndlc->sm_work
with llt_ndlc_sm_work.

When it calls ndlc_recv or timeout handler, it will finally call
schedule_work to start the work.

When we call st_nci_i2c_remove to remove the driver, there
may be a sequence as follows:

Fix it by finishing the work before cleanup in ndlc_remove

CPU0                  CPU1

                    |llt_ndlc_sm_work
st_nci_i2c_remove   |
  ndlc_remove       |
     st_nci_remove  |
     nci_free_device|
     kfree(ndev)    |
//free ndlc->ndev   |
                    |llt_ndlc_rcv_queue
                    |nci_recv_frame
                    |//use ndlc->ndev

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 20%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	3.17 ≤ 𝑥 < 4.14.311
linux	linux_kernel	4.15 ≤ 𝑥 < 4.19.279
linux	linux_kernel	4.20 ≤ 𝑥 < 5.4.238
linux	linux_kernel	5.5 ≤ 𝑥 < 5.10.176
linux	linux_kernel	5.11 ≤ 𝑥 < 5.15.104
linux	linux_kernel	5.16 ≤ 𝑥 < 6.1.21
linux	linux_kernel	6.2 ≤ 𝑥 < 6.2.8
linux	linux_kernel	6.3:rc1
linux	linux_kernel	6.3:rc2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.129-1 fixed
bookworm (security)	6.1.135-1 fixed
bullseye	5.10.223-1 fixed
bullseye (security)	5.10.234-1 fixed
sid	6.12.25-1 fixed
trixie	6.12.22-1 fixed

openSUSE / SLES Releases

openSUSE Product

Release

cluster-md-kmp-default

suse enterprise server 12 SP5	4.12.14-122.261.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.110.1 fixed

dlm-kmp-default

suse enterprise server 12 SP5	4.12.14-122.261.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.110.1 fixed

gfs2-kmp-default

suse enterprise server 12 SP5	4.12.14-122.261.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.110.1 fixed

kernel-64kb

suse enterprise server 15 SP3	5.3.18-150300.59.207.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.167.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.110.1 fixed

kernel-default

suse enterprise server 12 SP5	4.12.14-122.261.1 fixed
suse enterprise server 15 SP2	5.3.18-150200.24.230.1 fixed
suse enterprise server 15 SP3	5.3.18-150300.59.207.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.167.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.110.1 fixed

kernel-default-base

suse enterprise server 12 SP5	4.12.14-122.261.1 fixed
suse enterprise server 15 SP2	5.3.18-150200.24.230.1.150200.9.124.1 fixed
suse enterprise server 15 SP3	5.3.18-150300.59.207.1.150300.18.124.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.167.1.150400.24.84.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.110.1.150500.6.51.3 fixed

kernel-default-man

suse enterprise server 12 SP5

4.12.14-122.261.1

fixed

kernel-docs

suse enterprise server 15 SP2	5.3.18-150200.24.230.1 fixed
suse enterprise server 15 SP3	5.3.18-150300.59.207.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.167.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.110.1 fixed

kernel-macros

suse enterprise server 12 SP5	4.12.14-122.261.1 fixed
suse enterprise server 15 SP2	5.3.18-150200.24.230.1 fixed
suse enterprise server 15 SP3	5.3.18-150300.59.207.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.167.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.110.1 fixed

kernel-obs-build

suse enterprise server 15 SP2	5.3.18-150200.24.230.1 fixed
suse enterprise server 15 SP3	5.3.18-150300.59.207.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.167.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.110.1 fixed

kernel-preempt

suse enterprise server 15 SP2	5.3.18-150200.24.230.1 fixed
suse enterprise server 15 SP3	5.3.18-150300.59.207.1 fixed

kernel-source

suse enterprise server 12 SP5	4.12.14-122.261.1 fixed
suse enterprise server 15 SP2	5.3.18-150200.24.230.1 fixed
suse enterprise server 15 SP3	5.3.18-150300.59.207.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.167.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.110.1 fixed

kernel-syms

suse enterprise server 12 SP5	4.12.14-122.261.1 fixed
suse enterprise server 15 SP2	5.3.18-150200.24.230.1 fixed
suse enterprise server 15 SP3	5.3.18-150300.59.207.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.167.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.110.1 fixed

kernel-zfcpdump

suse enterprise server 15 SP3	5.3.18-150300.59.207.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.167.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.110.1 fixed

ocfs2-kmp-default

suse enterprise server 12 SP5	4.12.14-122.261.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.110.1 fixed

reiserfs-kmp-default

suse enterprise server 15 SP2	5.3.18-150200.24.230.1 fixed
suse enterprise server 15 SP3	5.3.18-150300.59.207.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.167.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.110.1 fixed

Common Weakness Enumeration

CWE-416 - Use After Free
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

References

https://git.kernel.org/stable/c/2156490c4b7cacda9a18ec99929940b8376dc0e3

https://git.kernel.org/stable/c/3405eb641dafcc8b28d174784b203c1622c121bf

https://git.kernel.org/stable/c/43aa468df246175207a7d5d7d6d31b231f15b49c

https://git.kernel.org/stable/c/5000fe6c27827a61d8250a7e4a1d26c3298ef4f6

https://git.kernel.org/stable/c/5e331022b448fbc5e76f24349cd0246844dcad25

https://git.kernel.org/stable/c/84dd9cc34014e3a3dcce0eb6d54b8a067e97676b

https://git.kernel.org/stable/c/b0c202a8dc63008205a5d546559736507a9aae66

https://git.kernel.org/stable/c/f589e5b56c562d99ea74e05b1c3f0eab78aa17a3