{
  "threat_severity" : "Low",
  "public_date" : "2025-10-07T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: perf trace: Really free the evsel->priv area",
    "id" : "2402214",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2402214"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-771",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nperf trace: Really free the evsel->priv area\nIn 3cb4d5e00e037c70 (\"perf trace: Free syscall tp fields in\nevsel->priv\") it only was freeing if strcmp(evsel->tp_format->system,\n\"syscalls\") returned zero, while the corresponding initialization of\nevsel->priv was being performed if it was _not_ zero, i.e. if the tp\nsystem wasn't 'syscalls'.\nJust stop looking for that and free it if evsel->priv was set, which\nshould be equivalent.\nAlso use the pre-existing evsel_trace__delete() function.\nThis resolves these leaks, detected with:\n$ make EXTRA_CFLAGS=\"-fsanitize=address\" BUILD_BPF_SKEL=1 CORESIGHT=1 O=/tmp/build/perf-tools-next -C tools/perf install-bin\n=================================================================\n==481565==ERROR: LeakSanitizer: detected memory leaks\nDirect leak of 40 byte(s) in 1 object(s) allocated from:\n#0 0x7f7343cba097 in calloc (/lib64/libasan.so.8+0xba097)\n#1 0x987966 in zalloc (/home/acme/bin/perf+0x987966)\n#2 0x52f9b9 in evsel_trace__new /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:307\n#3 0x52f9b9 in evsel__syscall_tp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:333\n#4 0x52f9b9 in evsel__init_raw_syscall_tp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:458\n#5 0x52f9b9 in perf_evsel__raw_syscall_newtp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:480\n#6 0x540e8b in trace__add_syscall_newtp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:3212\n#7 0x540e8b in trace__run /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:3891\n#8 0x540e8b in cmd_trace /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:5156\n#9 0x5ef262 in run_builtin /home/acme/git/perf-tools-next/tools/perf/perf.c:323\n#10 0x4196da in handle_internal_command /home/acme/git/perf-tools-next/tools/perf/perf.c:377\n#11 0x4196da in run_argv /home/acme/git/perf-tools-next/tools/perf/perf.c:421\n#12 0x4196da in main /home/acme/git/perf-tools-next/tools/perf/perf.c:537\n#13 0x7f7342c4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)\nDirect leak of 40 byte(s) in 1 object(s) allocated from:\n#0 0x7f7343cba097 in calloc (/lib64/libasan.so.8+0xba097)\n#1 0x987966 in zalloc (/home/acme/bin/perf+0x987966)\n#2 0x52f9b9 in evsel_trace__new /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:307\n#3 0x52f9b9 in evsel__syscall_tp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:333\n#4 0x52f9b9 in evsel__init_raw_syscall_tp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:458\n#5 0x52f9b9 in perf_evsel__raw_syscall_newtp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:480\n#6 0x540dd1 in trace__add_syscall_newtp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:3205\n#7 0x540dd1 in trace__run /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:3891\n#8 0x540dd1 in cmd_trace /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:5156\n#9 0x5ef262 in run_builtin /home/acme/git/perf-tools-next/tools/perf/perf.c:323\n#10 0x4196da in handle_internal_command /home/acme/git/perf-tools-next/tools/perf/perf.c:377\n#11 0x4196da in run_argv /home/acme/git/perf-tools-next/tools/perf/perf.c:421\n#12 0x4196da in main /home/acme/git/perf-tools-next/tools/perf/perf.c:537\n#13 0x7f7342c4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)\nSUMMARY: AddressSanitizer: 80 byte(s) leaked in 2 allocation(s).\n[root@quaco ~]#\nWith this we plug all leaks with \"perf trace sleep 1\".", "A memory leak flaw was found in the Linux kernel's perf trace tool in the event selector cleanup logic. \nA local user can trigger this issue by running perf trace commands, causing the tool to free memory based on an incorrect condition check that inverts the intended logic for non-syscall tracepoints. This results in allocated memory never being freed, leading to resource exhaustion and denial of service through memory depletion." ],
  "statement" : "The perf trace cleanup code contains inverted logic when freeing the evsel->priv area. Memory is allocated when the tracepoint system is not \"syscalls\", but the cleanup code only frees when it is \"syscalls\", creating a mismatch. This means memory allocated for non-syscall tracepoints is never released, causing a permanent leak with each perf trace invocation. The issue was detected using AddressSanitizer during testing and manifests as 40-byte leaks per event selector. While a single perf trace command leaks relatively small amounts of memory, repeated invocations or long-running trace sessions can accumulate significant memory consumption.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2022-05-10T00:00:00Z",
    "advisory" : "RHSA-2022:1988",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-372.9.1.el8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2394",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.13.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2394",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.13.1.el9_4"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53649\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53649\nhttps://lore.kernel.org/linux-cve-announce/2025100718-CVE-2023-53649-0a4a@gregkh/T" ],
  "name" : "CVE-2023-53649",
  "csaw" : false
}