CVE-2023-1079 in Linux
Summary
by MITRE • 03/28/2023
A flaw was found in the Linux kernel. A use-after-free may be triggered in asus_kbd_backlight_set when plugging/disconnecting in a malicious USB device, which advertises itself as an Asus device. Similarly to the previous known CVE-2023-25012, but in asus devices, the work_struct may be scheduled by the LED controller while the device is disconnecting, triggering a use-after-free on the struct asus_kbd_leds *led structure. A malicious USB device may exploit the issue to cause memory corruption with controlled data.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 10/17/2025
The vulnerability identified as CVE-2023-1079 represents a critical use-after-free flaw within the Linux kernel's handling of ASUS keyboard backlight functionality. This security issue specifically affects systems running Linux kernels that support ASUS keyboard backlight drivers, creating a potential pathway for malicious actors to exploit memory corruption vulnerabilities through USB device manipulation. The flaw manifests when a malicious USB device attempts to mimic an ASUS device by advertising itself as such during connection or disconnection events, exploiting the kernel's handling of the asus_kbd_backlight_set function.
The technical implementation of this vulnerability stems from improper memory management within the asus_kbd_leds structure handling. When a USB device claims to be an ASUS device and undergoes connection or disconnection processes, the kernel's LED controller may schedule a work_struct while the device is in the process of disconnecting. This timing issue creates a race condition where the work_struct execution occurs after the asus_kbd_leds *led structure has been freed, resulting in a use-after-free condition that allows for controlled memory corruption. The vulnerability operates through the kernel's USB subsystem and specifically targets the ASUS keyboard backlight driver module, making it particularly relevant for systems with ASUS hardware that support keyboard backlight functionality.
The operational impact of this vulnerability extends beyond simple memory corruption, as it provides a potential attack vector for privilege escalation and system compromise. An attacker with physical access to a target system could exploit this flaw by connecting a malicious USB device that mimics ASUS hardware characteristics, potentially leading to arbitrary code execution within kernel space. This represents a significant security risk because the attack requires only physical access to the device, making it particularly concerning for environments where untrusted USB devices might be connected. The vulnerability aligns with CWE-416, which specifically addresses use-after-free conditions, and can be mapped to ATT&CK technique T1059.006 for kernel-level code execution through legitimate system processes.
Mitigation strategies for CVE-2023-1079 should focus on both immediate kernel updates and operational security measures. System administrators should prioritize applying the latest kernel patches that address this specific vulnerability, as the fix typically involves proper synchronization mechanisms and memory management controls within the USB subsystem. Organizations should also implement USB device whitelisting policies and disable unnecessary USB functionality when possible. Additionally, monitoring for suspicious USB device connections and implementing runtime protections such as kernel module signing and secure boot configurations can provide additional layers of defense against exploitation attempts. The vulnerability demonstrates the importance of proper resource management in kernel drivers and highlights the need for thorough testing of device connection/disconnection sequences in embedded system components.