CVE-2023-53533 in Linux
Summary
by MITRE • 10/04/2025
In the Linux kernel, the following vulnerability has been resolved:
Input: raspberrypi-ts - fix refcount leak in rpi_ts_probe
rpi_firmware_get() take reference, we need to release it in error paths as well. Use devm_rpi_firmware_get() helper to handling the resources. Also remove the existing rpi_firmware_put().
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/01/2026
The vulnerability CVE-2023-53533 represents a memory management issue within the Linux kernel's touchscreen driver for Raspberry Pi devices. This flaw specifically affects the raspberrypi-ts kernel module which handles touchscreen input functionality on Raspberry Pi hardware platforms. The vulnerability stems from improper reference counting mechanisms during device initialization and error handling paths within the driver's probe function. The root cause lies in the inconsistent management of firmware references that are acquired through the rpi_firmware_get() function but not properly released in all execution paths including error conditions.
The technical implementation flaw manifests when the rpi_ts_probe function processes device initialization. The driver calls rpi_firmware_get() to obtain a reference to the Raspberry Pi firmware interface, which increments an internal reference counter to track resource usage. However, during error handling scenarios or when initialization fails partway through the process, the driver fails to properly decrement this reference counter through the corresponding rpi_firmware_put() function call. This creates a reference count leak where the firmware resource remains allocated in memory even though the driver is no longer actively using it, leading to potential resource exhaustion over time.
This vulnerability impacts the operational stability and security posture of Linux systems running on Raspberry Pi hardware, particularly those utilizing touchscreen peripherals. The reference count leak can accumulate over time, potentially leading to memory pressure that affects system performance or even system crashes under resource-constrained conditions. The issue is classified as a memory leak under CWE-401, specifically CWE-401: Improper Release of Memory After Effective Usage, which is a well-documented category of vulnerabilities in kernel space programming. The flaw represents a classic resource management error that can be exploited to degrade system performance or create denial-of-service conditions.
The mitigation strategy involves implementing proper resource management through the devm_rpi_firmware_get() helper function which automatically handles resource cleanup during device removal or error conditions. This approach follows the kernel's device management best practices and ensures that firmware references are properly released regardless of execution path taken during driver initialization. The solution eliminates the need for manual rpi_firmware_put() calls and removes the existing rpi_firmware_put() function calls that were previously causing the leak. This fix aligns with the ATT&CK framework's T1499.004 technique related to resource exhaustion, as it prevents the accumulation of unreleased kernel resources that could be exploited to consume system resources. The implementation follows the kernel's devm_ family of memory management helpers that provide automatic cleanup through device management frameworks, ensuring proper resource lifecycle management and preventing the accumulation of leaked references that could eventually impact system stability and performance.