CVE-2023-53023
Published: 27 March 2025
Summary
CVE-2023-53023 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the use-after-free vulnerability by applying the specific Linux kernel patch that sets local->rx_pending to NULL after freeing, preventing the double-free in local_cleanup().
Prohibits or restricts NFC subsystem functionality, such as by disabling NFC drivers like pn533_usb or the LLCP module, eliminating the conditions for device detachment and daemon termination that trigger the vulnerability.
Implements kernel memory protections like KASLR, SMEP/SMAP, and stack canaries that mitigate exploitation of the use-after-free for arbitrary code execution or corruption even if the double-free occurs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The kernel use-after-free in NFC LLCP enables local low-privileged exploitation for arbitrary code execution/privilege escalation (T1068) or system denial of service via memory corruption (T1499.004).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: net: nfc: Fix use-after-free in local_cleanup() Fix a use-after-free that occurs in kfree_skb() called from local_cleanup(). This could happen when killing nfc daemon (e.g. neard) after detaching an nfc device.…
more
When detaching an nfc device, local_cleanup() called from nfc_llcp_unregister_device() frees local->rx_pending and decreases local->ref by kref_put() in nfc_llcp_local_put(). In the terminating process, nfc daemon releases all sockets and it leads to decreasing local->ref. After the last release of local->ref, local_cleanup() called from local_release() frees local->rx_pending again, which leads to the bug. Setting local->rx_pending to NULL in local_cleanup() could prevent use-after-free when local_cleanup() is called twice. Found by a modified version of syzkaller. BUG: KASAN: use-after-free in kfree_skb() Call Trace: dump_stack_lvl (lib/dump_stack.c:106) print_address_description.constprop.0.cold (mm/kasan/report.c:306) kasan_check_range (mm/kasan/generic.c:189) kfree_skb (net/core/skbuff.c:955) local_cleanup (net/nfc/llcp_core.c:159) nfc_llcp_local_put.part.0 (net/nfc/llcp_core.c:172) nfc_llcp_local_put (net/nfc/llcp_core.c:181) llcp_sock_destruct (net/nfc/llcp_sock.c:959) __sk_destruct (net/core/sock.c:2133) sk_destruct (net/core/sock.c:2181) __sk_free (net/core/sock.c:2192) sk_free (net/core/sock.c:2203) llcp_sock_release (net/nfc/llcp_sock.c:646) __sock_release (net/socket.c:650) sock_close (net/socket.c:1365) __fput (fs/file_table.c:306) task_work_run (kernel/task_work.c:179) ptrace_notify (kernel/signal.c:2354) syscall_exit_to_user_mode_prepare (kernel/entry/common.c:278) syscall_exit_to_user_mode (kernel/entry/common.c:296) do_syscall_64 (arch/x86/entry/common.c:86) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:106) Allocated by task 4719: kasan_save_stack (mm/kasan/common.c:45) __kasan_slab_alloc (mm/kasan/common.c:325) slab_post_alloc_hook (mm/slab.h:766) kmem_cache_alloc_node (mm/slub.c:3497) __alloc_skb (net/core/skbuff.c:552) pn533_recv_response (drivers/nfc/pn533/usb.c:65) __usb_hcd_giveback_urb (drivers/usb/core/hcd.c:1671) usb_giveback_urb_bh (drivers/usb/core/hcd.c:1704) tasklet_action_common.isra.0 (kernel/softirq.c:797) __do_softirq (kernel/softirq.c:571) Freed by task 1901: kasan_save_stack (mm/kasan/common.c:45) kasan_set_track (mm/kasan/common.c:52) kasan_save_free_info (mm/kasan/genericdd.c:518) __kasan_slab_free (mm/kasan/common.c:236) kmem_cache_free (mm/slub.c:3809) kfree_skbmem (net/core/skbuff.c:874) kfree_skb (net/core/skbuff.c:931) local_cleanup (net/nfc/llcp_core.c:159) nfc_llcp_unregister_device (net/nfc/llcp_core.c:1617) nfc_unregister_device (net/nfc/core.c:1179) pn53x_unregister_nfc (drivers/nfc/pn533/pn533.c:2846) pn533_usb_disconnect (drivers/nfc/pn533/usb.c:579) usb_unbind_interface (drivers/usb/core/driver.c:458) device_release_driver_internal (drivers/base/dd.c:1279) bus_remove_device (drivers/base/bus.c:529) device_del (drivers/base/core.c:3665) usb_disable_device (drivers/usb/core/message.c:1420) usb_disconnect (drivers/usb/core.c:2261) hub_event (drivers/usb/core/hub.c:5833) process_one_work (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:212 include/trace/events/workqueue.h:108 kernel/workqueue.c:2281) worker_thread (include/linux/list.h:282 kernel/workqueue.c:2423) kthread (kernel/kthread.c:319) ret_from_fork (arch/x86/entry/entry_64.S:301)
Deeper analysisAI
CVE-2023-53023 is a use-after-free vulnerability in the Linux kernel's NFC subsystem, specifically within the LLCP (Logical Link Control Protocol) implementation in net/nfc/llcp_core.c. The issue arises in the local_cleanup() function, where local->rx_pending is freed via kfree_skb() during NFC device detachment via nfc_llcp_unregister_device(). A subsequent call to local_cleanup() from local_release()—triggered by NFC daemon termination, such as killing neard—attempts to free the same skb again, leading to the use-after-free. This was detected by KASAN during fuzzing with a modified syzkaller, manifesting as a crash in kfree_skb().
A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N) by detaching an NFC device and then terminating the NFC daemon process, such as neard. The attack requires local access to a system with an NFC device driver loaded, like pn533_usb. Successful exploitation of the use-after-free (CWE-416) could result in high confidentiality, integrity, and availability impacts (CVSS 7.8), potentially allowing kernel memory corruption, arbitrary code execution, or system denial of service.
Kernel patches addressing this issue are available in multiple stable branches via the referenced commits, which modify local_cleanup() to set local->rx_pending to NULL after freeing, preventing the double-free when the function is invoked multiple times. Security practitioners should update affected Linux kernels to incorporate these fixes, particularly on systems utilizing NFC functionality.
Details
- CWE(s)