PatchSiren

PatchSiren cyber security CVE debrief

CVE-2023-52614 Linux CVE debrief

CVE-2023-52614 is a Linux kernel memory-safety issue in PM/devfreq’s trans_stat_show() path. According to the CVE record and referenced kernel patches, the function could overrun its output buffer while building transition statistics. The fix replaces snprintf with scnprintf, stops when PAGE_SIZE would be exceeded, emits a warning that statistics are disabled, and returns -EFBIG when the full table cannot fit. NVD rates the issue HIGH (CVSS 7.8) and scopes it to local, low-privilege attack conditions.

Vendor
Linux
Product
CVE-2023-52614
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2024-03-18
Original CVE updated
2026-05-12
Advisory published
2024-03-18
Advisory updated
2026-05-12

Who should care

Linux kernel maintainers, distro security teams, embedded and appliance vendors shipping affected kernel branches, and operators of systems that expose devfreq statistics to local users should prioritize this advisory.

Technical summary

The vulnerable code path is in the Linux kernel power-management devfreq subsystem’s trans_stat_show() function. The supplied CVE description says the function could write past PAGE_SIZE while formatting a transition table, creating a buffer overflow condition. The documented remediation uses scnprintf with PAGE_SIZE bounds, adds an early exit if output would exceed PAGE_SIZE, warns when statistics are disabled due to size, and returns -EFBIG. The ABI documentation is also updated to reflect that this interface can fail with -EFBIG.

Defensive priority

High. This is a kernel buffer overflow with CVSS 7.8, local attack vector, and high impact to confidentiality, integrity, and availability. Prioritize patched kernels on exposed or multi-user systems.

Recommended defensive actions

  • Move affected systems to kernel releases at or beyond the fixed versions listed by NVD: 5.10.216, 5.15.149, 6.1.76, 6.6.15, or 6.7.3, or apply the relevant stable backport from your vendor.
  • Verify that your distribution kernel includes the backported devfreq/trans_stat_show fix; do not rely only on upstream version numbers if you consume vendor kernels.
  • Track vendor and downstream advisories for this issue, including the referenced Debian LTS notice, to confirm package-level remediation.
  • Review any tooling or scripts that read devfreq transition statistics so they tolerate -EFBIG after the ABI update.
  • If immediate patching is not possible, reduce exposure of affected multi-user systems to untrusted local accounts until remediation is complete.

Evidence notes

This debrief is based only on the supplied CVE record, NVD metadata, and referenced official patch/advisory links. The CVE was published on 2024-03-18 and last modified by NVD on 2026-05-12. NVD lists affected Linux kernel version ranges and a CVSS 3.1 vector of AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The kernel references are stable patch links, and a Debian LTS announcement is also cited.

Official resources

Publicly disclosed in the CVE/NVD record on 2024-03-18, with NVD last modified on 2026-05-12. Official remediation references point to Linux kernel stable patches and a Debian LTS advisory.