Missing Release of Resource after Effective Lifetime Affecting libperf package, versions <0:5.14.0-362.8.1.el9_3
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CENTOS9-LIBPERF-13476117
- published8 Oct 2025
- disclosed7 Oct 2025
Introduced: 7 Oct 2025
NewCVE-2023-53641 (opens in a new tab)How to fix?
Upgrade Centos:9 libperf to version 0:5.14.0-362.8.1.el9_3 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream libperf package and not the libperf package as distributed by Centos.
See How to fix? for Centos:9 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath9k: hif_usb: fix memory leak of remain_skbs
hif_dev->remain_skb is allocated and used exclusively in ath9k_hif_usb_rx_stream(). It is implied that an allocated remain_skb is processed and subsequently freed (in error paths) only during the next call of ath9k_hif_usb_rx_stream().
So, if the urbs are deallocated between those two calls due to the device deinitialization or suspend, it is possible that ath9k_hif_usb_rx_stream() is not called next time and the allocated remain_skb is leaked. Our local Syzkaller instance was able to trigger that.
remain_skb makes sense when receiving two consecutive urbs which are logically linked together, i.e. a specific data field from the first skb indicates a cached skb to be allocated, memcpy'd with some data and subsequently processed in the next call to ath9k_hif_usb_rx_stream(). Urbs deallocation supposedly makes that link irrelevant so we need to free the cached skb in those cases.
Fix the leak by introducing a function to explicitly free remain_skb (if it is not NULL) when the rx urbs have been deallocated. remain_skb is NULL when it has not been allocated at all (hif_dev struct is kzalloced) or when it has been processed in next call to ath9k_hif_usb_rx_stream().
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
References
- https://access.redhat.com/security/cve/CVE-2023-53641
- https://git.kernel.org/stable/c/320d760a35273aa815d58b57e4fd9ba5279a3489
- https://git.kernel.org/stable/c/59073060fe0950c6ecbe12bdc06469dcac62128d
- https://git.kernel.org/stable/c/6719e3797ec52cd144c8a5ba8aaab36674800585
- https://git.kernel.org/stable/c/7654cc03eb699297130b693ec34e25f77b17c947
- https://git.kernel.org/stable/c/8f02d538878c9b1501f624595eb22ee4e5e0ff84
- https://git.kernel.org/stable/c/9b9356a3014123f0ce4b50d9278c1265173150ab
- https://git.kernel.org/stable/c/d9899318660791141ea6002fda5577b2c5d7386e
- https://git.kernel.org/stable/c/f0931fc8f4b6847c72e170d2326861c0a081d680