CVE-2023-53613: 
Linux Kernel vulnerability analysis and mitigation

A use-after-free vulnerability was discovered in the Linux kernel's daxmappingrelease() function. The issue was identified on October 4, 2025 and assigned CVE-2023-53613. The vulnerability affects the device-dax region provider functionality in the Linux kernel, specifically when removing a device-dax region provider (like using modprobe -r dax_hmem) (NVD).

The vulnerability occurs due to attempting idafree() on an ida object that has already been freed. This happens during the release of a device-dax region provider. The issue manifests when a CONFIGDEBUGKOBJECTRELEASE test is performed, triggering a warning about kobject release and lock acquisition problems. The technical trace shows the error occurring in the _lockacquire+0x9fc/0x2260 function call path (NVD).

The vulnerability could lead to system instability and potential crashes when removing device-dax region providers. This affects systems using the device-dax functionality in the Linux kernel (Ubuntu).

Multiple Linux distributions have released fixes for this vulnerability. Ubuntu has provided fixes in various kernel versions including linux-kvm (5.15.0-1044.49), linux-azure (5.15.0-1049.56), and linux-gcp (5.15.0-1044.52). The fix involves ensuring that a daxmapping pins its parent devdax instance until daxmappingrelease() (Ubuntu).