{
  "threat_severity" : "Moderate",
  "public_date" : "2025-10-04T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: USB: Gadget: core: Help prevent panic during UVC unconfigure",
    "id" : "2401476",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2401476"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-764",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nUSB: Gadget: core: Help prevent panic during UVC unconfigure\nAvichal Rakesh reported a kernel panic that occurred when the UVC\ngadget driver was removed from a gadget's configuration.  The panic\ninvolves a somewhat complicated interaction between the kernel driver\nand a userspace component (as described in the Link tag below), but\nthe analysis did make one thing clear: The Gadget core should\naccomodate gadget drivers calling usb_gadget_deactivate() as part of\ntheir unbind procedure.\nCurrently this doesn't work.  gadget_unbind_driver() calls\ndriver->unbind() while holding the udc->connect_lock mutex, and\nusb_gadget_deactivate() attempts to acquire that mutex, which will\nresult in a deadlock.\nThe simple fix is for gadget_unbind_driver() to release the mutex when\ninvoking the ->unbind() callback.  There is no particular reason for\nit to be holding the mutex at that time, and the mutex isn't held\nwhile the ->bind() callback is invoked.  So we'll drop the mutex\nbefore performing the unbind callback and reacquire it afterward.\nWe'll also add a couple of comments to usb_gadget_activate() and\nusb_gadget_deactivate().  Because they run in process context they\nmust not be called from a gadget driver's ->disconnect() callback,\nwhich (according to the kerneldoc for struct usb_gadget_driver in\ninclude/linux/usb/gadget.h) may run in interrupt context.  This may\nhelp prevent similar bugs from arising in the future.", "A deadlock flaw was found in the Linux kernel's USB Gadget subsystem in the driver unbind path. \nA local privileged user can trigger this issue by removing a UVC gadget driver from a gadget configuration, causing the unbind callback to call usb_gadget_deactivate while the caller holds the connect_lock mutex. This results in a deadlock attempting to reacquire the same mutex, leading to a kernel panic or system hang." ],
  "statement" : "The gadget_unbind_driver function calls the driver's unbind callback while holding the udc->connect_lock mutex. When the UVC gadget driver's unbind function calls usb_gadget_deactivate as part of its cleanup, that function attempts to acquire the same mutex, creating a classic self-deadlock. This issue was exposed by the interaction between kernel components and userspace in UVC gadget configurations. The fix is straightforward—drop the mutex before invoking the unbind callback, which matches the pattern used for bind callbacks.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2394",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.13.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2394",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.13.1.el9_4"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53580\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53580\nhttps://lore.kernel.org/linux-cve-announce/2025100423-CVE-2023-53580-7d16@gregkh/T" ],
  "name" : "CVE-2023-53580",
  "mitigation" : {
    "value" : "To mitigate this issue, prevent the usb_f_uvc module from being loaded. See https://access.redhat.com/solutions/41278 for instructions on blacklisting kernel modules.",
    "lang" : "en:us"
  },
  "csaw" : false
}