CVE-2023-53012: thermal: core: call put_device() only after device_register() fails
In the Linux kernel, the following vulnerability has been resolved:
thermal: core: call put_device() only after device_register() fails
put_device() shouldn't be called before a prior call to
device_register(). __thermal_cooling_device_register() doesn't follow
that properly and needs fixing. Also
thermal_cooling_device_destroy_sysfs() is getting called unnecessarily
on few error paths.
Fix all this by placing the calls at the right place.
Based on initial work done by Caleb Connolly.
Security readout for executives and security teams
Plain-English summary
This is a Linux kernel bug in the cleanup path for thermal cooling devices. The public record says the kernel could call cleanup in the wrong order during failed registration. Business risk is hard to rate because impact and exploitability are not stated.
Executive priority
Treat this as a kernel maintenance item with unclear business urgency. It should not override actively exploited vulnerabilities, but Linux kernel fleets should receive normal vendor updates and exposure tracking because kernel cleanup bugs can have operational impact.
Technical view
The issue is in Linux thermal core __thermal_cooling_device_register(). put_device() could be called before successful device_register(), and sysfs cleanup ran on unnecessary error paths. The fix moves cleanup calls to the correct failure paths. No CVSS, CWE, privilege impact, or trigger requirements are provided.
Likely exposure
Linux hosts, appliances, or embedded devices running affected kernel revisions that include the vulnerable thermal core code. Exposure is most relevant where thermal cooling device registration can fail. The sources do not map this to specific distributions or packaged kernel versions.
Exploitation context
CISA KEV is false, and no cited source states active exploitation or public exploit availability. The source bundle does not provide attacker prerequisites, trigger details, or practical impact, so exploitation likelihood cannot be judged from the available evidence.
Researcher notes
The public record is sparse: it documents incorrect device lifecycle ordering and unnecessary sysfs cleanup calls, but not the resulting failure mode. Analysis should focus on kernel version lineage, backports, and vendor advisories rather than speculative exploitation claims.
Mitigation direction
Track Linux vendor advisories for kernels containing this thermal core fix.
Apply validated kernel updates that include the referenced stable commits.
Prioritize systems using custom or older Linux kernels with thermal subsystem changes.
Avoid assuming distribution package exposure without vendor mapping.
Keep normal kernel rollback plans for update testing.
Validation and detection
Inventory Linux kernel versions and vendor package advisory status.
Check whether deployed source or changelog includes the referenced stable commits.
Confirm affected systems use kernel builds containing the thermal core code path.
Review vendor security notices for backport identifiers and fixed package versions.
Record uncertainty where impact, CVSS, or exploitability are not published.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2023-53012 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
4Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Mar 27, 2025, 16:43 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.