CVE-2023-53849 in Linuxinfo

Summary

by MITRE • 12/09/2025

In the Linux kernel, the following vulnerability has been resolved:

drm/msm: fix workqueue leak on bind errors

Make sure to destroy the workqueue also in case of early errors during bind (e.g. a subcomponent failing to bind).

Since commit c3b790ea07a1 ("drm: Manage drm_mode_config_init with drmm_") the mode config will be freed when the drm device is released also when using the legacy interface, but add an explicit cleanup for consistency and to facilitate backporting.

Patchwork: https://patchwork.freedesktop.org/patch/525093/

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 03/30/2026

The vulnerability CVE-2023-53849 represents a memory management issue within the Linux kernel's direct rendering manager subsystem, specifically affecting the msm driver used for Qualcomm Snapdragon graphics processing units. This flaw manifests as a workqueue leak that occurs during the device binding process when early errors are encountered. The vulnerability stems from insufficient cleanup operations in error handling paths, where workqueues are not properly destroyed when subcomponents fail to bind during initialization. The issue affects the drm/msm driver component that manages graphics hardware interfaces and represents a classic resource leak scenario that can lead to system instability over time.

The technical implementation flaw occurs in the device binding mechanism where the drm_mode_config_init function, managed through drmm_ interface, is designed to automatically clean up resources when the drm device is released. However, the patch addresses a gap in the error handling logic that fails to destroy workqueues when early binding errors occur, particularly during the initialization of subcomponents. This creates a situation where workqueues remain allocated in memory even when the device binding process fails, leading to gradual resource exhaustion. The vulnerability is classified as a resource leak under CWE-404, specifically related to improper resource cleanup, and represents a failure in the kernel's memory management subsystem to properly handle exceptional conditions during driver initialization.

The operational impact of this vulnerability extends beyond simple memory consumption, potentially leading to system performance degradation and instability in graphics-intensive applications. When multiple device binding operations fail or when the graphics subsystem experiences repeated initialization errors, the accumulated workqueue leaks can consume significant system resources and may eventually cause system crashes or rendering failures. The vulnerability affects systems using Qualcomm Snapdragon graphics hardware through the drm/msm driver interface, particularly impacting mobile devices, embedded systems, and servers that rely on this graphics subsystem. From an attack perspective, this represents a denial of service vulnerability that could be exploited by malicious actors to exhaust system resources through repeated binding failures or by triggering specific error conditions that lead to resource leaks.

Mitigation strategies for CVE-2023-53849 involve applying the upstream kernel patch that ensures proper workqueue destruction during early binding errors, along with implementing monitoring systems to detect resource leaks in graphics drivers. System administrators should prioritize updating kernel versions to include the fix, particularly in production environments where graphics stability is critical. The patch addresses this issue by adding explicit cleanup operations for consistency and to facilitate backporting to older kernel versions, aligning with ATT&CK technique T1499.004 for resource exhaustion and T1070.006 for indicator removal. Organizations should also implement regular system monitoring to detect unusual memory consumption patterns in graphics subsystems, as the vulnerability could be exploited to gradually consume system resources without immediate detection, making it particularly dangerous in long-running systems.

Responsible

Linux

Reservation

12/09/2025

Disclosure

12/09/2025

Moderation

accepted

CPE

ready

EPSS

0.00194

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!