{
  "threat_severity" : "Low",
  "public_date" : "2025-12-30T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: media: usb: siano: Fix use after free bugs caused by do_submit_urb",
    "id" : "2426112",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2426112"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-825",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmedia: usb: siano: Fix use after free bugs caused by do_submit_urb\nThere are UAF bugs caused by do_submit_urb(). One of the KASan reports\nis shown below:\n[   36.403605] BUG: KASAN: use-after-free in worker_thread+0x4a2/0x890\n[   36.406105] Read of size 8 at addr ffff8880059600e8 by task kworker/0:2/49\n[   36.408316]\n[   36.408867] CPU: 0 PID: 49 Comm: kworker/0:2 Not tainted 6.2.0-rc3-15798-g5a41237ad1d4-dir8\n[   36.411696] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g15584\n[   36.416157] Workqueue:  0x0 (events)\n[   36.417654] Call Trace:\n[   36.418546]  <TASK>\n[   36.419320]  dump_stack_lvl+0x96/0xd0\n[   36.420522]  print_address_description+0x75/0x350\n[   36.421992]  print_report+0x11b/0x250\n[   36.423174]  ? _raw_spin_lock_irqsave+0x87/0xd0\n[   36.424806]  ? __virt_addr_valid+0xcf/0x170\n[   36.426069]  ? worker_thread+0x4a2/0x890\n[   36.427355]  kasan_report+0x131/0x160\n[   36.428556]  ? worker_thread+0x4a2/0x890\n[   36.430053]  worker_thread+0x4a2/0x890\n[   36.431297]  ? worker_clr_flags+0x90/0x90\n[   36.432479]  kthread+0x166/0x190\n[   36.433493]  ? kthread_blkcg+0x50/0x50\n[   36.434669]  ret_from_fork+0x22/0x30\n[   36.435923]  </TASK>\n[   36.436684]\n[   36.437215] Allocated by task 24:\n[   36.438289]  kasan_set_track+0x50/0x80\n[   36.439436]  __kasan_kmalloc+0x89/0xa0\n[   36.440566]  smsusb_probe+0x374/0xc90\n[   36.441920]  usb_probe_interface+0x2d1/0x4c0\n[   36.443253]  really_probe+0x1d5/0x580\n[   36.444539]  __driver_probe_device+0xe3/0x130\n[   36.446085]  driver_probe_device+0x49/0x220\n[   36.447423]  __device_attach_driver+0x19e/0x1b0\n[   36.448931]  bus_for_each_drv+0xcb/0x110\n[   36.450217]  __device_attach+0x132/0x1f0\n[   36.451470]  bus_probe_device+0x59/0xf0\n[   36.452563]  device_add+0x4ec/0x7b0\n[   36.453830]  usb_set_configuration+0xc63/0xe10\n[   36.455230]  usb_generic_driver_probe+0x3b/0x80\n[   36.456166] printk: console [ttyGS0] disabled\n[   36.456569]  usb_probe_device+0x90/0x110\n[   36.459523]  really_probe+0x1d5/0x580\n[   36.461027]  __driver_probe_device+0xe3/0x130\n[   36.462465]  driver_probe_device+0x49/0x220\n[   36.463847]  __device_attach_driver+0x19e/0x1b0\n[   36.465229]  bus_for_each_drv+0xcb/0x110\n[   36.466466]  __device_attach+0x132/0x1f0\n[   36.467799]  bus_probe_device+0x59/0xf0\n[   36.469010]  device_add+0x4ec/0x7b0\n[   36.470125]  usb_new_device+0x863/0xa00\n[   36.471374]  hub_event+0x18c7/0x2220\n[   36.472746]  process_one_work+0x34c/0x5b0\n[   36.474041]  worker_thread+0x4b7/0x890\n[   36.475216]  kthread+0x166/0x190\n[   36.476267]  ret_from_fork+0x22/0x30\n[   36.477447]\n[   36.478160] Freed by task 24:\n[   36.479239]  kasan_set_track+0x50/0x80\n[   36.480512]  kasan_save_free_info+0x2b/0x40\n[   36.481808]  ____kasan_slab_free+0x122/0x1a0\n[   36.483173]  __kmem_cache_free+0xc4/0x200\n[   36.484563]  smsusb_term_device+0xcd/0xf0\n[   36.485896]  smsusb_probe+0xc85/0xc90\n[   36.486976]  usb_probe_interface+0x2d1/0x4c0\n[   36.488303]  really_probe+0x1d5/0x580\n[   36.489498]  __driver_probe_device+0xe3/0x130\n[   36.491140]  driver_probe_device+0x49/0x220\n[   36.492475]  __device_attach_driver+0x19e/0x1b0\n[   36.493988]  bus_for_each_drv+0xcb/0x110\n[   36.495171]  __device_attach+0x132/0x1f0\n[   36.496617]  bus_probe_device+0x59/0xf0\n[   36.497875]  device_add+0x4ec/0x7b0\n[   36.498972]  usb_set_configuration+0xc63/0xe10\n[   36.500264]  usb_generic_driver_probe+0x3b/0x80\n[   36.501740]  usb_probe_device+0x90/0x110\n[   36.503084]  really_probe+0x1d5/0x580\n[   36.504241]  __driver_probe_device+0xe3/0x130\n[   36.505548]  driver_probe_device+0x49/0x220\n[   36.506766]  __device_attach_driver+0x19e/0x1b0\n[   36.508368]  bus_for_each_drv+0xcb/0x110\n[   36.509646]  __device_attach+0x132/0x1f0\n[   36.510911]  bus_probe_device+0x59/0xf0\n[   36.512103]  device_add+0x4ec/0x7b0\n[   36.513215]  usb_new_device+0x863/0xa00\n[   36.514736]  hub_event+0x18c7/0x2220\n[   36.516130]  process_one_work+\n---truncated---", "A use-after-free vulnerability was found in the Linux kernel's Siano USB driver for digital TV receivers. In do_submit_urb(), memory allocated during smsusb_probe() can be freed by smsusb_term_device() while URB work items are still referencing it. This leads to a use-after-free condition when worker threads access the freed memory." ],
  "statement" : "Exploiting this flaw requires physical access to connect a malicious or malfunctioning Siano USB device. The UAF occurs during device probing, which is controlled by physical device insertion. While UAF bugs can be severe, the physical access requirement substantially reduces the attack surface.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-11-14T00:00:00Z",
    "advisory" : "RHSA-2023:7077",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-513.5.1.el8_9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Extended Update Support",
    "release_date" : "2024-02-07T00:00:00Z",
    "advisory" : "RHSA-2024:0724",
    "cpe" : "cpe:/o:redhat:rhel_eus:8.6",
    "package" : "kernel-0:4.18.0-372.91.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  }, {
    "product_name" : "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8",
    "release_date" : "2024-02-07T00:00:00Z",
    "advisory" : "RHSA-2024:0724",
    "cpe" : "cpe:/o:redhat:rhev_hypervisor:4.4::el8",
    "package" : "kernel-0:4.18.0-372.91.1.el8_6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-54270\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-54270\nhttps://lore.kernel.org/linux-cve-announce/2025123000-CVE-2023-54270-cdd0@gregkh/T" ],
  "name" : "CVE-2023-54270",
  "mitigation" : {
    "value" : "To mitigate this issue, prevent the smsusb module from being loaded. See https://access.redhat.com/solutions/41278 for instructions.",
    "lang" : "en:us"
  },
  "csaw" : false
}