CVE-2023-53363 (GCVE-0-2023-53363)

Vulnerability from cvelistv5 – Published: 2025-09-17 14:56 – Updated: 2026-01-14 18:53
VLAI?
Title
PCI: Fix use-after-free in pci_bus_release_domain_nr()
Summary
In the Linux kernel, the following vulnerability has been resolved: PCI: Fix use-after-free in pci_bus_release_domain_nr() Commit c14f7ccc9f5d ("PCI: Assign PCI domain IDs by ida_alloc()") introduced a use-after-free bug in the bus removal cleanup. The issue was found with kfence: [ 19.293351] BUG: KFENCE: use-after-free read in pci_bus_release_domain_nr+0x10/0x70 [ 19.302817] Use-after-free read at 0x000000007f3b80eb (in kfence-#115): [ 19.309677] pci_bus_release_domain_nr+0x10/0x70 [ 19.309691] dw_pcie_host_deinit+0x28/0x78 [ 19.309702] tegra_pcie_deinit_controller+0x1c/0x38 [pcie_tegra194] [ 19.309734] tegra_pcie_dw_probe+0x648/0xb28 [pcie_tegra194] [ 19.309752] platform_probe+0x90/0xd8 ... [ 19.311457] kfence-#115: 0x00000000063a155a-0x00000000ba698da8, size=1072, cache=kmalloc-2k [ 19.311469] allocated by task 96 on cpu 10 at 19.279323s: [ 19.311562] __kmem_cache_alloc_node+0x260/0x278 [ 19.311571] kmalloc_trace+0x24/0x30 [ 19.311580] pci_alloc_bus+0x24/0xa0 [ 19.311590] pci_register_host_bridge+0x48/0x4b8 [ 19.311601] pci_scan_root_bus_bridge+0xc0/0xe8 [ 19.311613] pci_host_probe+0x18/0xc0 [ 19.311623] dw_pcie_host_init+0x2c0/0x568 [ 19.311630] tegra_pcie_dw_probe+0x610/0xb28 [pcie_tegra194] [ 19.311647] platform_probe+0x90/0xd8 ... [ 19.311782] freed by task 96 on cpu 10 at 19.285833s: [ 19.311799] release_pcibus_dev+0x30/0x40 [ 19.311808] device_release+0x30/0x90 [ 19.311814] kobject_put+0xa8/0x120 [ 19.311832] device_unregister+0x20/0x30 [ 19.311839] pci_remove_bus+0x78/0x88 [ 19.311850] pci_remove_root_bus+0x5c/0x98 [ 19.311860] dw_pcie_host_deinit+0x28/0x78 [ 19.311866] tegra_pcie_deinit_controller+0x1c/0x38 [pcie_tegra194] [ 19.311883] tegra_pcie_dw_probe+0x648/0xb28 [pcie_tegra194] [ 19.311900] platform_probe+0x90/0xd8 ... [ 19.313579] CPU: 10 PID: 96 Comm: kworker/u24:2 Not tainted 6.2.0 #4 [ 19.320171] Hardware name: /, BIOS 1.0-d7fb19b 08/10/2022 [ 19.325852] Workqueue: events_unbound deferred_probe_work_func The stack trace is a bit misleading as dw_pcie_host_deinit() doesn't directly call pci_bus_release_domain_nr(). The issue turns out to be in pci_remove_root_bus() which first calls pci_remove_bus() which frees the struct pci_bus when its struct device is released. Then pci_bus_release_domain_nr() is called and accesses the freed struct pci_bus. Reordering these fixes the issue.
Severity ?
7.8 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: f8b6bd6c04d4dfc4c200e6fa306e61e3b42ec5fc , < 52b0343c7d628f37b38e3279ba585526b850ad3b (git)
Affected: db273126bf548a2dc611372e8f6a817b2b16b563 , < ad367516b1c09317111255ecfbf5e42c33e31918 (git)
Affected: ead4d69b3ef047b0f670511d81e9ced7ac876b44 , < fbf45385e3419b8698b5e0a434847072375cfec2 (git)
Affected: c14f7ccc9f5dcf9d06ddeec706f85405b2c80600 , < 07a75c0050e59c50f038cc5f4e2a3258c8f8c9d0 (git)
Affected: c14f7ccc9f5dcf9d06ddeec706f85405b2c80600 , < 30ba2d09edb5ea857a1473ae3d820911347ada62 (git)
Create a notification for this product.
    Linux Linux Affected: 6.2
Unaffected: 0 , < 6.2 (semver)
Unaffected: 6.2.12 , ≤ 6.2.* (semver)
Unaffected: 6.3 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-53363",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-14T18:44:47.836349Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-14T18:53:01.141Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/pci/remove.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "52b0343c7d628f37b38e3279ba585526b850ad3b",
              "status": "affected",
              "version": "f8b6bd6c04d4dfc4c200e6fa306e61e3b42ec5fc",
              "versionType": "git"
            },
            {
              "lessThan": "ad367516b1c09317111255ecfbf5e42c33e31918",
              "status": "affected",
              "version": "db273126bf548a2dc611372e8f6a817b2b16b563",
              "versionType": "git"
            },
            {
              "lessThan": "fbf45385e3419b8698b5e0a434847072375cfec2",
              "status": "affected",
              "version": "ead4d69b3ef047b0f670511d81e9ced7ac876b44",
              "versionType": "git"
            },
            {
              "lessThan": "07a75c0050e59c50f038cc5f4e2a3258c8f8c9d0",
              "status": "affected",
              "version": "c14f7ccc9f5dcf9d06ddeec706f85405b2c80600",
              "versionType": "git"
            },
            {
              "lessThan": "30ba2d09edb5ea857a1473ae3d820911347ada62",
              "status": "affected",
              "version": "c14f7ccc9f5dcf9d06ddeec706f85405b2c80600",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/pci/remove.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.2.*",
              "status": "unaffected",
              "version": "6.2.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.3",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.2.12",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.3",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: Fix use-after-free in pci_bus_release_domain_nr()\n\nCommit c14f7ccc9f5d (\"PCI: Assign PCI domain IDs by ida_alloc()\")\nintroduced a use-after-free bug in the bus removal cleanup. The issue was\nfound with kfence:\n\n  [   19.293351] BUG: KFENCE: use-after-free read in pci_bus_release_domain_nr+0x10/0x70\n\n  [   19.302817] Use-after-free read at 0x000000007f3b80eb (in kfence-#115):\n  [   19.309677]  pci_bus_release_domain_nr+0x10/0x70\n  [   19.309691]  dw_pcie_host_deinit+0x28/0x78\n  [   19.309702]  tegra_pcie_deinit_controller+0x1c/0x38 [pcie_tegra194]\n  [   19.309734]  tegra_pcie_dw_probe+0x648/0xb28 [pcie_tegra194]\n  [   19.309752]  platform_probe+0x90/0xd8\n  ...\n\n  [   19.311457] kfence-#115: 0x00000000063a155a-0x00000000ba698da8, size=1072, cache=kmalloc-2k\n\n  [   19.311469] allocated by task 96 on cpu 10 at 19.279323s:\n  [   19.311562]  __kmem_cache_alloc_node+0x260/0x278\n  [   19.311571]  kmalloc_trace+0x24/0x30\n  [   19.311580]  pci_alloc_bus+0x24/0xa0\n  [   19.311590]  pci_register_host_bridge+0x48/0x4b8\n  [   19.311601]  pci_scan_root_bus_bridge+0xc0/0xe8\n  [   19.311613]  pci_host_probe+0x18/0xc0\n  [   19.311623]  dw_pcie_host_init+0x2c0/0x568\n  [   19.311630]  tegra_pcie_dw_probe+0x610/0xb28 [pcie_tegra194]\n  [   19.311647]  platform_probe+0x90/0xd8\n  ...\n\n  [   19.311782] freed by task 96 on cpu 10 at 19.285833s:\n  [   19.311799]  release_pcibus_dev+0x30/0x40\n  [   19.311808]  device_release+0x30/0x90\n  [   19.311814]  kobject_put+0xa8/0x120\n  [   19.311832]  device_unregister+0x20/0x30\n  [   19.311839]  pci_remove_bus+0x78/0x88\n  [   19.311850]  pci_remove_root_bus+0x5c/0x98\n  [   19.311860]  dw_pcie_host_deinit+0x28/0x78\n  [   19.311866]  tegra_pcie_deinit_controller+0x1c/0x38 [pcie_tegra194]\n  [   19.311883]  tegra_pcie_dw_probe+0x648/0xb28 [pcie_tegra194]\n  [   19.311900]  platform_probe+0x90/0xd8\n  ...\n\n  [   19.313579] CPU: 10 PID: 96 Comm: kworker/u24:2 Not tainted 6.2.0 #4\n  [   19.320171] Hardware name:  /, BIOS 1.0-d7fb19b 08/10/2022\n  [   19.325852] Workqueue: events_unbound deferred_probe_work_func\n\nThe stack trace is a bit misleading as dw_pcie_host_deinit() doesn\u0027t\ndirectly call pci_bus_release_domain_nr(). The issue turns out to be in\npci_remove_root_bus() which first calls pci_remove_bus() which frees the\nstruct pci_bus when its struct device is released. Then\npci_bus_release_domain_nr() is called and accesses the freed struct\npci_bus. Reordering these fixes the issue."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-17T14:56:52.401Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/52b0343c7d628f37b38e3279ba585526b850ad3b"
        },
        {
          "url": "https://git.kernel.org/stable/c/ad367516b1c09317111255ecfbf5e42c33e31918"
        },
        {
          "url": "https://git.kernel.org/stable/c/fbf45385e3419b8698b5e0a434847072375cfec2"
        },
        {
          "url": "https://git.kernel.org/stable/c/07a75c0050e59c50f038cc5f4e2a3258c8f8c9d0"
        },
        {
          "url": "https://git.kernel.org/stable/c/30ba2d09edb5ea857a1473ae3d820911347ada62"
        }
      ],
      "title": "PCI: Fix use-after-free in pci_bus_release_domain_nr()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-53363",
    "datePublished": "2025-09-17T14:56:52.401Z",
    "dateReserved": "2025-09-17T14:54:09.733Z",
    "dateUpdated": "2026-01-14T18:53:01.141Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.