Operation on a Resource after Expiration or Release Affecting libperf package, versions *


Severity

Recommended
0.0
medium
0
10

Based on CentOS security rating.

Threat Intelligence

EPSS
0.02% (6th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CENTOS9-LIBPERF-13226409
  • published3 Oct 2025
  • disclosed1 Oct 2025

Introduced: 1 Oct 2025

NewCVE-2023-53515  (opens in a new tab)
CWE-672  (opens in a new tab)

How to fix?

There is no fixed version for Centos:9 libperf.

NVD Description

Note: Versions mentioned in the description apply only to the upstream libperf package and not the libperf package as distributed by Centos. See How to fix? for Centos:9 relevant fixed versions and status.

In the Linux kernel, the following vulnerability has been resolved:

virtio-mmio: don't break lifecycle of vm_dev

vm_dev has a separate lifecycle because it has a 'struct device' embedded. Thus, having a release callback for it is correct.

Allocating the vm_dev struct with devres totally breaks this protection, though. Instead of waiting for the vm_dev release callback, the memory is freed when the platform_device is removed. Resulting in a use-after-free when finally the callback is to be called.

To easily see the problem, compile the kernel with CONFIG_DEBUG_KOBJECT_RELEASE and unbind with sysfs.

The fix is easy, don't use devres in this case.

Found during my research about object lifetime problems.

CVSS Base Scores

version 3.1