CVE-2023-53405: 
Linux Kernel vulnerability analysis and mitigation

CVE-2023-53405 is a vulnerability discovered in the Linux kernel related to memory management in the USB gadget subsystem. The issue was disclosed on September 18, 2025, and specifically affects the grudc driver's interaction with debugfslookup() function. The vulnerability exists because when calling debugfs_lookup(), the result must have dput() called on it, otherwise memory will leak over time (NVD).

The vulnerability stems from improper memory management in the Linux kernel's USB gadget grudc driver. The technical issue occurs when the debugfslookup() function is called without a corresponding dput() call, resulting in a memory leak that accumulates over time. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating a moderate severity level (Red Hat).

The primary impact of this vulnerability is a memory leak in the Linux kernel that can grow over time, potentially leading to resource exhaustion. The CVSS scoring indicates that while there is no impact on confidentiality or integrity, there is a high impact on availability due to the memory leak (Red Hat).

The vulnerability has been fixed by replacing the debugfslookup() call with debugfslookupandremove(), which handles all the cleanup logic at once. This fix has been implemented in various Linux distributions, including Ubuntu 22.04 LTS (version 5.15.0-79.86) and Debian bookworm (version 6.1.153-1) (Ubuntu, Debian).