Bug 2402263 (CVE-2023-53674)

Summary: CVE-2023-53674 kernel: clk: Fix memory leak in devm_clk_notifier_register()
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A resource-management flaw was found in the Linux kernel Common Clock Framework. The device-managed clock notifier registration function failed to register its allocated resource, preventing cleanup on device detach. A local user repeatedly binding and unbinding devices could cause memory leaks and eventual denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-10-07 16:06:13 UTC 
In the Linux kernel, the following vulnerability has been resolved:

clk: Fix memory leak in devm_clk_notifier_register()

devm_clk_notifier_register() allocates a devres resource for clk
notifier but didn't register that to the device, so the notifier didn't
get unregistered on device detach and the allocated resource was leaked.

Fix the issue by registering the resource through devres_add().

This issue was found with kmemleak on a Chromebook.
Comment 1 Jon Moroney 2025-10-07 16:19:44 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025100706-CVE-2023-53674-af85@gregkh/T