CVE-2023-52445: 
Linux Kernel vulnerability analysis and mitigation

CVE-2023-52445 is a use-after-free vulnerability discovered in the Linux kernel's pvrusb2 driver. The vulnerability was disclosed on February 22, 2024, affecting various Linux kernel versions up to (excluding) 4.19.306, 5.4.268, 5.10.209, and 5.15.148. The issue occurs in the media subsystem's pvrusb2 driver during context disconnection (NVD).

The vulnerability stems from a race condition in the pvrusb2 driver. Upon module load, a kthread is created targeting the pvr2_context_thread_func function, which may call pvr2_context_destroy and thus call kfree() on the context object. This can happen before the USB hub_event handler is able to notify the driver, leading to a use-after-free condition. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability could potentially lead to privilege escalation, denial of service, or information disclosure on affected systems. The high CVSS score indicates significant potential impact on the confidentiality, integrity, and availability of the system (NVD).

The vulnerability has been fixed through a patch that adds a sanity check before the invalid read within the context disconnection call stack. The fix has been implemented across multiple Linux distributions. Ubuntu has released fixes for various versions including 23.10 (6.5.0-41.41), 22.04 LTS (5.15.0-102.112), and 20.04 LTS (5.4.0-176.196). Debian has also released fixes for affected versions (Ubuntu, Debian).