CVE-2023-53363 in Linux
Summary
by MITRE • 09/17/2025
In the Linux kernel, the following vulnerability has been resolved:
PCI: Fix use-after-free in pci_bus_release_domain_nr()
Commit c14f7ccc9f5d ("PCI: Assign PCI domain IDs by ida_alloc()") introduced a use-after-free bug in the bus removal cleanup. The issue was found with kfence:
[ 19.293351] BUG: KFENCE: use-after-free read in pci_bus_release_domain_nr+0x10/0x70
[ 19.302817] Use-after-free read at 0x000000007f3b80eb (in kfence-#115):
[ 19.309677] pci_bus_release_domain_nr+0x10/0x70
[ 19.309691] dw_pcie_host_deinit+0x28/0x78
[ 19.309702] tegra_pcie_deinit_controller+0x1c/0x38 [pcie_tegra194]
[ 19.309734] tegra_pcie_dw_probe+0x648/0xb28 [pcie_tegra194]
[ 19.309752] platform_probe+0x90/0xd8
...
[ 19.311457] kfence-#115: 0x00000000063a155a-0x00000000ba698da8, size=1072, cache=kmalloc-2k
[ 19.311469] allocated by task 96 on cpu 10 at 19.279323s:
[ 19.311562] __kmem_cache_alloc_node+0x260/0x278
[ 19.311571] kmalloc_trace+0x24/0x30
[ 19.311580] pci_alloc_bus+0x24/0xa0
[ 19.311590] pci_register_host_bridge+0x48/0x4b8
[ 19.311601] pci_scan_root_bus_bridge+0xc0/0xe8
[ 19.311613] pci_host_probe+0x18/0xc0
[ 19.311623] dw_pcie_host_init+0x2c0/0x568
[ 19.311630] tegra_pcie_dw_probe+0x610/0xb28 [pcie_tegra194]
[ 19.311647] platform_probe+0x90/0xd8
...
[ 19.311782] freed by task 96 on cpu 10 at 19.285833s:
[ 19.311799] release_pcibus_dev+0x30/0x40
[ 19.311808] device_release+0x30/0x90
[ 19.311814] kobject_put+0xa8/0x120
[ 19.311832] device_unregister+0x20/0x30
[ 19.311839] pci_remove_bus+0x78/0x88
[ 19.311850] pci_remove_root_bus+0x5c/0x98
[ 19.311860] dw_pcie_host_deinit+0x28/0x78
[ 19.311866] tegra_pcie_deinit_controller+0x1c/0x38 [pcie_tegra194]
[ 19.311883] tegra_pcie_dw_probe+0x648/0xb28 [pcie_tegra194]
[ 19.311900] platform_probe+0x90/0xd8
...
[ 19.313579] CPU: 10 PID: 96 Comm: kworker/u24:2 Not tainted 6.2.0 #4
[ 19.320171] Hardware name: /, BIOS 1.0-d7fb19b 08/10/2022
[ 19.325852] Workqueue: events_unbound deferred_probe_work_func
The stack trace is a bit misleading as dw_pcie_host_deinit() doesn't directly call pci_bus_release_domain_nr(). The issue turns out to be in pci_remove_root_bus() which first calls pci_remove_bus() which frees the struct pci_bus when its struct device is released. Then pci_bus_release_domain_nr() is called and accesses the freed struct pci_bus. Reordering these fixes the issue.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 12/27/2025
The vulnerability CVE-2023-53363 represents a critical use-after-free condition within the Linux kernel's PCI subsystem, specifically affecting the pci_bus_release_domain_nr() function. This flaw emerges from improper cleanup sequence during PCI bus removal operations, creating a scenario where memory is accessed after being freed. The issue was introduced in commit c14f7ccc9f5d which implemented PCI domain ID assignment using ida_alloc(), fundamentally altering how domain numbers are managed during bus initialization and removal. The vulnerability manifests through KFENCE detection mechanisms, indicating a classic memory safety issue where the kernel attempts to read from memory that has already been deallocated, potentially leading to system instability or exploitation.
The technical root cause lies in the improper ordering of cleanup operations within the PCI bus removal process. When pci_remove_root_bus() executes, it first calls pci_remove_bus() which triggers the release of the struct pci_bus structure through device_release() and kobject_put() functions. However, subsequent calls to pci_bus_release_domain_nr() still attempt to access the now-freed memory structure, creating a use-after-free condition. The stack trace reveals that the problematic sequence occurs during PCIe controller deinitialization, specifically in the tegra_pcie_deinit_controller() function which is part of the Tegra PCIe driver implementation. This architectural flaw demonstrates a failure in proper resource lifecycle management where the domain number release operation occurs after the bus structure has already been freed, violating fundamental memory safety principles.
The operational impact of this vulnerability extends beyond simple system crashes to potentially enable privilege escalation or denial of service conditions within kernel space. Attackers could theoretically exploit this use-after-free condition to manipulate kernel memory layout, potentially leading to arbitrary code execution in kernel context. The vulnerability affects systems utilizing PCIe controllers on embedded platforms such as those based on NVIDIA Tegra SoCs, where the specific driver chain involving dw_pcie_host_deinit() and tegra_pcie_dw_probe() functions creates the precise conditions for exploitation. Given that this affects core kernel PCI subsystem functionality, the impact spans a wide range of hardware configurations that rely on standard PCI bus management, making it particularly concerning for production systems and embedded devices.
Mitigation strategies for CVE-2023-53363 require immediate kernel updates to address the improper cleanup sequence in the PCI bus removal logic. The fix involves reordering the cleanup operations to ensure that pci_bus_release_domain_nr() is called before the pci_bus structure is freed, preventing the use-after-free condition. System administrators should prioritize applying the patched kernel version that corrects the resource management sequence in pci_remove_root_bus() and related functions. Additionally, monitoring for KFENCE detection events and implementing proper kernel memory debugging tools can help identify similar issues in other subsystems. Organizations should also consider implementing runtime protections such as kernel memory protection mechanisms and regular security audits of kernel modules, particularly those handling hardware-specific PCI controllers. The vulnerability aligns with CWE-416, which specifically addresses use-after-free conditions in memory management, and could potentially map to ATT&CK technique T1068 for privilege escalation through kernel memory corruption.