LiveActive security incident?Get immediate response
CVE Record

CVE-2023-53580: USB: Gadget: core: Help prevent panic during UVC unconfigure

In the Linux kernel, the following vulnerability has been resolved: USB: Gadget: core: Help prevent panic during UVC unconfigure Avichal Rakesh reported a kernel panic that occurred when the UVC gadget driver was removed from a gadget's configuration. The panic involves a somewhat complicated interaction between the kernel driver and a userspace component (as described in the Link tag below), but the analysis did make one thing clear: The Gadget core should accomodate gadget drivers calling usb_gadget_deactivate() as part of their unbind procedure. Currently this doesn't work. gadget_unbind_driver() calls driver->unbind() while holding the udc->connect_lock mutex, and usb_gadget_deactivate() attempts to acquire that mutex, which will result in a deadlock. The simple fix is for gadget_unbind_driver() to release the mutex when invoking the ->unbind() callback. There is no particular reason for it to be holding the mutex at that time, and the mutex isn't held while the ->bind() callback is invoked. So we'll drop the mutex before performing the unbind callback and reacquire it afterward. We'll also add a couple of comments to usb_gadget_activate() and usb_gadget_deactivate(). Because they run in process context they must not be called from a gadget driver's ->disconnect() callback, which (according to the kerneldoc for struct usb_gadget_driver in include/linux/usb/gadget.h) may run in interrupt context. This may help prevent similar bugs from arising in the future.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

This Linux kernel flaw can cause a crash or hang when USB video gadget functionality is being unconfigured. Business impact is availability, mainly for appliances or embedded systems that use Linux USB Gadget UVC mode. The source does not provide CVSS, confirmed exploitation, or broad remote exposure evidence.

Executive priority

Prioritize for products or environments where Linux devices provide USB camera gadget features and uptime matters. It is not currently evidenced as internet-scale or actively exploited in the provided sources, so broader enterprise urgency depends on device role and exposure.

Technical view

The issue is a deadlock in Linux USB Gadget core. gadget_unbind_driver() held udc->connect_lock while calling a driver unbind callback; usb_gadget_deactivate() can try to take the same mutex during UVC gadget unbind, causing deadlock and reported kernel panic. Stable kernel commits release the mutex around unbind and add context warnings.

Likely exposure

Most likely exposure is Linux-based embedded, appliance, mobile, lab, or product devices using USB Gadget UVC functionality. General servers and desktops are lower concern unless configured to act as USB gadgets. The provided affected version data is limited and should be validated against vendor kernel packages.

Exploitation context

The bundle reports a kernel panic found through UVC gadget unconfigure behavior. It does not cite active exploitation, CISA KEV listing, public exploit availability, or remote attack conditions. Treat this as a reliability and local/device-interaction availability issue unless vendor advisories say otherwise.

Researcher notes

Focus validation on the USB Gadget core unbind path and whether downstream kernels include the mutex release fix. The source describes process-context constraints for usb_gadget_activate/deactivate and cautions against disconnect-callback use. Version metadata appears sparse, so package-level confirmation is important.

Mitigation direction

  • Check vendor kernel advisories for CVE-2023-53580 applicability.
  • Update to a kernel containing the referenced stable fixes.
  • Prioritize devices using USB Gadget UVC mode.
  • Disable unused USB Gadget UVC functionality where operationally safe.
  • Track downstream vendor backports, not only upstream version numbers.

Validation and detection

  • Inventory Linux systems exposing USB Gadget or UVC gadget functions.
  • Map running kernel builds to vendor CVE-2023-53580 advisories.
  • Confirm whether referenced stable commits are present or backported.
  • Review device crash logs for UVC gadget unconfigure panics.
  • Test remediation in representative gadget-mode devices before rollout.
Prepared
Confidence
medium
Sources
5

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2023-53580 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
0ADP providers
4Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxd8195536ce2624e2947d9f56b1a61e7a27874bd3, 286d9975a838d0a54da049765fa1d1fb96b89682, 286d9975a838d0a54da049765fa1d1fb96b89682, 85102a45c7390caf124a3a5796574446f1e037b9, 6.1.35, 6.3.9unaffected
LinuxLinux6.4, 0, 6.1.46, 6.4.11, 6.5affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.