CVE-2023-53854 in Linux
Summary
by MITRE • 12/09/2025
In the Linux kernel, the following vulnerability has been resolved:
ASoC: mediatek: mt8186: Fix use-after-free in driver remove path
When devm runs function in the "remove" path for a device it runs them in the reverse order. That means that if you have parts of your driver that aren't using devm or are using "roll your own" devm w/ devm_add_action_or_reset() you need to keep that in mind.
The mt8186 audio driver didn't quite get this right. Specifically, in mt8186_init_clock() it called mt8186_audsys_clk_register() and then went on to call a bunch of other devm function. The caller of mt8186_init_clock() used devm_add_action_or_reset() to call mt8186_deinit_clock() but, because of the intervening devm functions, the order was wrong.
Specifically at probe time, the order was: 1. mt8186_audsys_clk_register() 2. afe_priv->clk = devm_kcalloc(...) 3. afe_priv->clk[i] = devm_clk_get(...)
At remove time, the order (which should have been 3, 2, 1) was: 1. mt8186_audsys_clk_unregister() 3. Free all of afe_priv->clk[i]
2. Free afe_priv->clk
The above seemed to be causing a use-after-free. Luckily, it's easy to fix this by simply using devm more correctly. Let's move the devm_add_action_or_reset() to the right place. In addition to fixing the use-after-free, code inspection shows that this fixes a leak (missing call to mt8186_audsys_clk_unregister()) that would have happened if any of the syscon_regmap_lookup_by_phandle() calls in mt8186_init_clock() had failed.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/30/2026
The vulnerability identified as CVE-2023-53854 represents a critical use-after-free condition within the Linux kernel's Advanced SoC (ASoC) audio driver framework, specifically affecting the MediaTek mt8186 audio subsystem. This flaw occurs during the device removal lifecycle when the kernel's device management subsystem executes cleanup functions in reverse order. The issue stems from improper handling of device management resources within the driver's remove path, creating a scenario where memory references become invalid before all dependent operations complete. The vulnerability is classified under CWE-416 as a use-after-free condition, which can lead to unpredictable behavior and potential security exploitation. The flaw manifests in the interaction between the kernel's devm (device management) subsystem and custom cleanup functions, where the expected execution order of resource deallocation becomes corrupted due to improper placement of cleanup actions.
The technical implementation of this vulnerability occurs in the mt8186 audio driver's initialization and removal functions where the sequence of operations during device removal does not align with the expected devm execution order. During probe time, the driver correctly initializes clock resources through mt8186_audsys_clk_register() followed by devm_kcalloc() and devm_clk_get() operations. However, during removal, the execution order becomes inverted, causing mt8186_audsys_clk_unregister() to execute before the devm-managed clock resources are properly freed. This misordering creates a use-after-free scenario where the driver attempts to access memory that has already been released, potentially leading to kernel crashes or memory corruption. The flaw demonstrates a fundamental misunderstanding of how devm subsystems manage resource lifecycle, particularly when mixing devm functions with custom cleanup mechanisms using devm_add_action_or_reset().
The operational impact of CVE-2023-53854 extends beyond simple system instability to potentially enable privilege escalation and denial-of-service conditions within embedded Linux systems. Systems utilizing MediaTek mt8186 audio hardware are particularly vulnerable, including various smartphones, tablets, and embedded devices that rely on this audio controller. The vulnerability can be exploited through normal device operation, making it particularly dangerous as it requires no special privileges or conditions to trigger. Attackers could potentially leverage the use-after-free condition to execute arbitrary code within kernel space, though the complexity of exploitation would depend on the specific system configuration and available attack surface. The flaw also introduces memory leaks in failure scenarios, where the missing mt8186_audsys_clk_unregister() call would cause resource leaks that accumulate over time, eventually leading to system instability and performance degradation.
The remediation for CVE-2023-53854 involves correcting the resource management ordering within the driver's cleanup path by properly placing the devm_add_action_or_reset() call to align with the expected execution sequence. This fix ensures that devm resources are freed in the correct order, preventing the use-after-free condition that was previously occurring. The solution addresses both the immediate security vulnerability and the underlying memory leak issue that would have occurred if any syscon_regmap_lookup_by_phandle() calls failed during initialization. This fix aligns with ATT&CK technique T1068 by addressing privilege escalation opportunities through kernel memory corruption vulnerabilities, and follows the principle of least privilege by ensuring proper resource management. The corrected implementation ensures that all device resources are properly accounted for during both successful and failure scenarios, maintaining system stability and preventing potential exploitation vectors that could arise from improper memory management in kernel subsystems.