CVE-2023-53649 in Linux
Summary
by MITRE • 10/07/2025
In the Linux kernel, the following vulnerability has been resolved:
perf trace: Really free the evsel->priv area
In 3cb4d5e00e037c70 ("perf trace: Free syscall tp fields in evsel->priv") it only was freeing if strcmp(evsel->tp_format->system, "syscalls") returned zero, while the corresponding initialization of evsel->priv was being performed if it was _not_ zero, i.e. if the tp system wasn't 'syscalls'.
Just stop looking for that and free it if evsel->priv was set, which should be equivalent.
Also use the pre-existing evsel_trace__delete() function.
This resolves these leaks, detected with:
$ make EXTRA_CFLAGS="-fsanitize=address" BUILD_BPF_SKEL=1 CORESIGHT=1 O=/tmp/build/perf-tools-next -C tools/perf install-bin
================================================================= ==481565==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 40 byte(s) in 1 object(s) allocated from: #0 0x7f7343cba097 in calloc (/lib64/libasan.so.8+0xba097) #1 0x987966 in zalloc (/home/acme/bin/perf+0x987966) #2 0x52f9b9 in evsel_trace__new /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:307 #3 0x52f9b9 in evsel__syscall_tp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:333 #4 0x52f9b9 in evsel__init_raw_syscall_tp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:458 #5 0x52f9b9 in perf_evsel__raw_syscall_newtp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:480 #6 0x540e8b in trace__add_syscall_newtp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:3212 #7 0x540e8b in trace__run /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:3891 #8 0x540e8b in cmd_trace /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:5156 #9 0x5ef262 in run_builtin /home/acme/git/perf-tools-next/tools/perf/perf.c:323 #10 0x4196da in handle_internal_command /home/acme/git/perf-tools-next/tools/perf/perf.c:377 #11 0x4196da in run_argv /home/acme/git/perf-tools-next/tools/perf/perf.c:421 #12 0x4196da in main /home/acme/git/perf-tools-next/tools/perf/perf.c:537 #13 0x7f7342c4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)
Direct leak of 40 byte(s) in 1 object(s) allocated from: #0 0x7f7343cba097 in calloc (/lib64/libasan.so.8+0xba097) #1 0x987966 in zalloc (/home/acme/bin/perf+0x987966) #2 0x52f9b9 in evsel_trace__new /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:307 #3 0x52f9b9 in evsel__syscall_tp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:333 #4 0x52f9b9 in evsel__init_raw_syscall_tp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:458 #5 0x52f9b9 in perf_evsel__raw_syscall_newtp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:480 #6 0x540dd1 in trace__add_syscall_newtp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:3205 #7 0x540dd1 in trace__run /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:3891 #8 0x540dd1 in cmd_trace /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:5156 #9 0x5ef262 in run_builtin /home/acme/git/perf-tools-next/tools/perf/perf.c:323 #10 0x4196da in handle_internal_command /home/acme/git/perf-tools-next/tools/perf/perf.c:377 #11 0x4196da in run_argv /home/acme/git/perf-tools-next/tools/perf/perf.c:421 #12 0x4196da in main /home/acme/git/perf-tools-next/tools/perf/perf.c:537 #13 0x7f7342c4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)
SUMMARY: AddressSanitizer: 80 byte(s) leaked in 2 allocation(s). [root@quaco ~]#
With this we plug all leaks with "perf trace sleep 1".
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/01/2026
The vulnerability identified as CVE-2023-53649 resides within the Linux kernel's performance tracing subsystem, specifically affecting the perf tool's handling of event selection structures. This memory leak occurs during the processing of syscall tracepoints, where the evsel->priv area is not properly freed under certain conditions, leading to persistent memory consumption that can accumulate over time and potentially impact system performance. The flaw demonstrates a classic case of asymmetric memory management where initialization and deallocation logic do not align properly, creating a scenario where allocated memory remains unreleased.
The technical root cause stems from an inconsistent conditional logic in the perf trace implementation where memory allocation for evsel->priv occurs when the tracepoint system is not "syscalls", but the corresponding deallocation only occurred when the system was specifically "syscalls". This conditional inversion creates a memory leak pattern where the memory allocated for non-syscall tracepoints is never freed, as the cleanup logic was incorrectly restricted to syscall-specific tracepoints. The vulnerability manifests through the perf trace command when processing system call tracepoints, with memory sanitizer detecting 80 bytes of leaked memory across two allocations that occur during tracepoint initialization and processing.
The operational impact of this vulnerability extends beyond simple memory waste, as it represents a potential denial of service vector through resource exhaustion, particularly in systems that frequently utilize perf trace functionality. The leak is triggered specifically when executing perf trace commands with syscall processing, making it relevant to system monitoring and debugging operations that rely heavily on performance tracing capabilities. This flaw affects systems running Linux kernels that incorporate the specific perf trace implementation, particularly those utilizing the tools/perf subsystem for system call monitoring and tracing activities.
Mitigation of this vulnerability requires applying the kernel patch that corrects the conditional logic in the memory management routines, ensuring that evsel->priv is freed whenever it is set, regardless of the tracepoint system type. The fix involves using the existing evsel_trace__delete() function consistently rather than maintaining the flawed conditional checks, which aligns with established best practices for memory management in kernel subsystems. The solution demonstrates proper resource handling through consistent allocation and deallocation patterns, addressing the memory leak that was detected through AddressSanitizer instrumentation and confirms that the fix resolves the specific 80-byte leak observed in perf trace operations.
This vulnerability maps to CWE-401: Improper Release of Memory Before Removing Last Reference and aligns with ATT&CK technique T1059.001 for command and scripting interpreter, as it affects system utilities that could be leveraged by adversaries to consume system resources. The fix ensures that all allocated memory in the perf trace subsystem is properly managed and released, preventing the accumulation of leaked memory that could be exploited for resource exhaustion attacks. The remediation approach emphasizes the importance of symmetric memory management patterns in kernel code, where every allocation has a corresponding deallocation, and the fix validates that the perf tool's memory handling now follows proper resource lifecycle management principles.