CVE-2023-47233: 
Linux Kernel vulnerability analysis and mitigation

The Linux kernel through version 6.5.10 contains a use-after-free vulnerability (CVE-2023-47233) in the brcm80211 component, specifically in the brcmfcfg80211detach function during device unplugging (USB hotplug disconnect) operations. The vulnerability is related to the brcmfcfg80211escantimeoutworker in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c (NVD, Ubuntu).

The vulnerability occurs due to a race condition in the device removal process. When a USB device is unplugged, the brcmfusbdisconnect function initiates a cleanup chain through brcmfusbdisconnectcb, brcmfdetach, and brcmfcfg80211detach, ultimately freeing the cfg structure. However, the timeout worker may still be running when this occurs, leading to a use-after-free condition in brcmfcfg80211escantimeoutworker. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with vector AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can be exploited by physically proximate attackers with local access to cause a denial of service (system crash). The impact is limited to availability, with no direct impact on confidentiality or integrity (Ubuntu).

A fix has been developed and committed to the Linux kernel. The patch involves properly handling the cleanup sequence by adding timer deletion and worker cancellation in brcmfcfg80211detach. The fix was committed with ID 0f7352557a35ab7888bc7831411ec8a3cbe20d78 and has been backported to various stable kernel versions (Kernel Commit).