{ "threat_severity" : "Low", "public_date" : "2025-12-30T00:00:00Z", "bugzilla" : { "description" : "kernel: clk: imx93: fix memory leak and missing unwind goto in imx93_clocks_probe", "id" : "2426031", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2426031" }, "cvss3" : { "cvss3_base_score" : "3.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status" : "verified" }, "cwe" : "CWE-772", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nclk: imx93: fix memory leak and missing unwind goto in imx93_clocks_probe\nIn function probe(), it returns directly without unregistered hws\nwhen error occurs.\nFix this by adding 'goto unregister_hws;' on line 295 and\nline 310.\nUse devm_kzalloc() instead of kzalloc() to automatically\nfree the memory using devm_kfree() when error occurs.\nReplace of_iomap() with devm_of_iomap() to automatically\nhandle the unused ioremap region and delete 'iounmap(anatop_base);'\nin unregister_hws.", "A memory leak was found in the Linux kernel's i.MX93 clock driver. The imx93_clocks_probe() function returns directly without unregistering hardware clocks or freeing allocated memory when errors occur. The fix converts allocations to use device-managed APIs (devm_kzalloc, devm_of_iomap) and adds proper error handling goto paths." ], "statement" : "This flaw affects only NXP i.MX93 SoC platforms and manifests during clock driver probe failures. The memory leak occurs only in error paths during driver initialization, not during normal operation. Given the limited platform scope and requirement for probe failures, the practical security impact is minimal.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-54221\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-54221\nhttps://lore.kernel.org/linux-cve-announce/2025123027-CVE-2023-54221-567b@gregkh/T" ], "name" : "CVE-2023-54221", "csaw" : false }