CVE-2023-52469: drivers/amd/pm: fix a use-after-free in kv_parse_power_table
In the Linux kernel, the following vulnerability has been resolved:
drivers/amd/pm: fix a use-after-free in kv_parse_power_table
When ps allocated by kzalloc equals to NULL, kv_parse_power_table
frees adev->pm.dpm.ps that allocated before. However, after the control
flow goes through the following call chains:
kv_parse_power_table
|-> kv_dpm_init
|-> kv_dpm_sw_init
|-> kv_dpm_fini
The adev->pm.dpm.ps is used in the for loop of kv_dpm_fini after its
first free in kv_parse_power_table and causes a use-after-free bug.
Security readout for executives and security teams
Plain-English summary
CVE-2023-52469 is a Linux kernel bug in AMD power-management code. Under an allocation-failure path, memory can be freed and later reused, creating a use-after-free condition. The source bundle does not provide CVSS, attacker prerequisites, or confirmed impact, so urgency depends on affected kernel and hardware presence.
Executive priority
Handle through normal kernel patch management unless your environment has broad AMD Linux workstation or server exposure. There is no cited active exploitation, but kernel memory-safety bugs can carry operational risk, so confirm patch status rather than deferring indefinitely.
Technical view
The flaw is in drivers/amd/pm, specifically kv_parse_power_table. If kzalloc returns NULL, adev->pm.dpm.ps is freed, but later control flow through kv_dpm_init, kv_dpm_sw_init, and kv_dpm_fini can use it again in a loop. Linux stable commits are referenced as fixes.
Likely exposure
Exposure is most likely on Linux systems running affected kernel versions or downstream distribution kernels that include the vulnerable AMD power-management driver path. Systems without relevant AMD graphics/power-management code may be less exposed, but the bundle does not provide a complete product matrix.
Exploitation context
The source bundle does not show active exploitation, and KEV is false. It also does not identify a public exploit, remote attack path, or required privileges. Treat this as a kernel memory-safety issue with incomplete exploitability evidence.
Researcher notes
Evidence is limited to the CVE description, Linux stable references, and Debian LTS announcements. No CVSS, CWE, exploitability analysis, or attacker model is included. The key technical condition is an allocation failure followed by reuse of adev->pm.dpm.ps during cleanup.
Mitigation direction
Check your Linux vendor or distribution advisory for fixed kernel packages.
Update affected systems to a kernel containing the referenced stable fixes.
Prioritize assets with AMD graphics hardware or AMD power-management driver usage.
Track Debian LTS advisories if managing Debian-based long-term-support systems.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2023-52469 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.