CVE-2023-52473: 
Linux Kernel vulnerability analysis and mitigation

CVE-2023-52473 is a NULL pointer dereference vulnerability discovered in the Linux kernel's thermal subsystem. The issue occurs in the thermal zone registration error path when device_register() in thermal_zone_device_register_with_trips() returns an error, causing the tz variable to be set to NULL and subsequently dereferenced in kfree(tz->tzp). This vulnerability affects Linux kernel versions from 6.4.0 up to (excluding) 6.6.14 and versions from 6.7.0 up to (excluding) 6.7.2 (NVD).

The vulnerability stems from a redundant NULL assignment introduced by commit adc8749b150c ("thermal/drivers/core: Use put_device() if device_register() fails") which was intended to avoid a possible double-free after dropping the reference to the zone device. However, after commit 4649620d9404 ("thermal: core: Make thermal_zone_device_unregister() return after freeing the zone"), this assignment became problematic as dropping the reference to the zone device no longer causes the zone object to be freed. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (MEDIUM) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to a NULL pointer dereference in the Linux kernel's thermal subsystem, potentially causing a system crash or denial of service condition (Kernel Patch).

The vulnerability has been fixed by removing the redundant NULL assignment in the thermal core code. The fix has been implemented in the Linux kernel through patches that address the NULL pointer dereference issue. Users should update their Linux kernel to versions 6.6.14, 6.7.2 or later to receive the fix (Kernel Patch).