CVE-2023-53518: 
Linux Kernel vulnerability analysis and mitigation

CVE-2023-53518 is a vulnerability discovered in the Linux kernel related to a resource leak in the devfreq device release function. The vulnerability was published on October 1, 2025, and involves the PM/devfreq subsystem where srcuinitnotifierhead() allocates resources that need to be properly released with srcucleanupnotifierhead() call (NVD, Ubuntu).

The vulnerability stems from a memory leak in the devfreqdevrelease() function within the Linux kernel's Power Management (PM) devfreq subsystem. The issue occurs when srcuinitnotifierhead() allocates resources that are not properly cleaned up, as they require a corresponding srcucleanupnotifierhead() call. This vulnerability was initially detected by the kernel memory leak detector (kmemleak). The severity of this vulnerability has been assessed with a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) indicating a medium severity level (Red Hat).

The primary impact of this vulnerability is a memory leak in affected systems, which could potentially lead to resource exhaustion over time. While the vulnerability does not pose immediate confidentiality or integrity risks, it could affect system availability due to the uncontrolled resource consumption (Red Hat).

Several Linux distributions have released fixes for this vulnerability. Ubuntu has fixed the issue in version 5.15.0-94.104~20.04.1 for linux-hwe-5.15, version 5.15.0-1053.58~20.04.1 for linux-aws-5.15, and version 5.4.0-1104.111 for linux-kvm. Red Hat has deferred fixes for Red Hat Enterprise Linux 9 (Ubuntu, Red Hat).