{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-53709", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-10-22T13:21:37.346Z", "datePublished": "2025-10-22T13:23:45.155Z", "dateUpdated": "2025-10-22T13:23:45.155Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-10-22T13:23:45.155Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Handle race between rb_move_tail and rb_check_pages\n\nIt seems a data race between ring_buffer writing and integrity check.\nThat is, RB_FLAG of head_page is been updating, while at same time\nRB_FLAG was cleared when doing integrity check rb_check_pages():\n\n rb_check_pages() rb_handle_head_page():\n -------- --------\n rb_head_page_deactivate()\n rb_head_page_set_normal()\n rb_head_page_activate()\n\nWe do intergrity test of the list to check if the list is corrupted and\nit is still worth doing it. So, let's refactor rb_check_pages() such that\nwe no longer clear and set flag during the list sanity checking.\n\n[1] and [2] are the test to reproduce and the crash report respectively.\n\n1:\n``` read_trace.sh\n while true;\n do\n # the \"trace\" file is closed after read\n head -1 /sys/kernel/tracing/trace > /dev/null\n done\n```\n``` repro.sh\n sysctl -w kernel.panic_on_warn=1\n # function tracer will writing enough data into ring_buffer\n echo function > /sys/kernel/tracing/current_tracer\n ./read_trace.sh &\n ./read_trace.sh &\n ./read_trace.sh &\n ./read_trace.sh &\n ./read_trace.sh &\n ./read_trace.sh &\n ./read_trace.sh &\n ./read_trace.sh &\n```\n\n2:\n------------[ cut here ]------------\nWARNING: CPU: 9 PID: 62 at kernel/trace/ring_buffer.c:2653\nrb_move_tail+0x450/0x470\nModules linked in:\nCPU: 9 PID: 62 Comm: ksoftirqd/9 Tainted: G W 6.2.0-rc6+\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nrel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014\nRIP: 0010:rb_move_tail+0x450/0x470\nCode: ff ff 4c 89 c8 f0 4d 0f b1 02 48 89 c2 48 83 e2 fc 49 39 d0 75 24\n83 e0 03 83 f8 02 0f 84 e1 fb ff ff 48 8b 57 10 f0 ff 42 08 <0f> 0b 83\nf8 02 0f 84 ce fb ff ff e9 db\nRSP: 0018:ffffb5564089bd00 EFLAGS: 00000203\nRAX: 0000000000000000 RBX: ffff9db385a2bf81 RCX: ffffb5564089bd18\nRDX: ffff9db281110100 RSI: 0000000000000fe4 RDI: ffff9db380145400\nRBP: ffff9db385a2bf80 R08: ffff9db385a2bfc0 R09: ffff9db385a2bfc2\nR10: ffff9db385a6c000 R11: ffff9db385a2bf80 R12: 0000000000000000\nR13: 00000000000003e8 R14: ffff9db281110100 R15: ffffffffbb006108\nFS: 0000000000000000(0000) GS:ffff9db3bdcc0000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005602323024c8 CR3: 0000000022e0c000 CR4: 00000000000006e0\nCall Trace:\n <TASK>\n ring_buffer_lock_reserve+0x136/0x360\n ? __do_softirq+0x287/0x2df\n ? __pfx_rcu_softirq_qs+0x10/0x10\n trace_function+0x21/0x110\n ? __pfx_rcu_softirq_qs+0x10/0x10\n ? __do_softirq+0x287/0x2df\n function_trace_call+0xf6/0x120\n 0xffffffffc038f097\n ? rcu_softirq_qs+0x5/0x140\n rcu_softirq_qs+0x5/0x140\n __do_softirq+0x287/0x2df\n run_ksoftirqd+0x2a/0x30\n smpboot_thread_fn+0x188/0x220\n ? __pfx_smpboot_thread_fn+0x10/0x10\n kthread+0xe7/0x110\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2c/0x50\n </TASK>\n---[ end trace 0000000000000000 ]---\n\n[ crash report and test reproducer credit goes to Zheng Yejian]"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/trace/ring_buffer.c"], "versions": [{"version": "1039221cc2787dee51a7ffbf9b0e79d192dadf76", "lessThan": "6e02a43acd0691791df79ce538f2dd497a6c9b76", "status": "affected", "versionType": "git"}, {"version": "1039221cc2787dee51a7ffbf9b0e79d192dadf76", "lessThan": "d41db100bc386b9433a3fc87026f5e8b453653e3", "status": "affected", "versionType": "git"}, {"version": "1039221cc2787dee51a7ffbf9b0e79d192dadf76", "lessThan": "9674390ac540ed06768e3fbc2dba553929fbd736", "status": "affected", "versionType": "git"}, {"version": "1039221cc2787dee51a7ffbf9b0e79d192dadf76", "lessThan": "09b1bf25f7f7a8f2bf8cd4278bba9c3172db8013", "status": "affected", "versionType": "git"}, {"version": "1039221cc2787dee51a7ffbf9b0e79d192dadf76", "lessThan": "8843e06f67b14f71c044bf6267b2387784c7e198", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/trace/ring_buffer.c"], "versions": [{"version": "5.7", "status": "affected"}, {"version": "0", "lessThan": "5.7", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.173", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.99", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.16", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.2.3", "lessThanOrEqual": "6.2.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "5.10.173"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "5.15.99"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.1.16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.2.3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/6e02a43acd0691791df79ce538f2dd497a6c9b76"}, {"url": "https://git.kernel.org/stable/c/d41db100bc386b9433a3fc87026f5e8b453653e3"}, {"url": "https://git.kernel.org/stable/c/9674390ac540ed06768e3fbc2dba553929fbd736"}, {"url": "https://git.kernel.org/stable/c/09b1bf25f7f7a8f2bf8cd4278bba9c3172db8013"}, {"url": "https://git.kernel.org/stable/c/8843e06f67b14f71c044bf6267b2387784c7e198"}], "title": "ring-buffer: Handle race between rb_move_tail and rb_check_pages", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Handle race between rb_move_tail and rb_check_pages\n\nIt seems a data race between ring_buffer writing and integrity check.\nThat is, RB_FLAG of head_page is been updating, while at same time\nRB_FLAG was cleared when doing integrity check rb_check_pages():\n\n rb_check_pages() rb_handle_head_page():\n -------- --------\n rb_head_page_deactivate()\n rb_head_page_set_normal()\n rb_head_page_activate()\n\nWe do intergrity test of the list to check if the list is corrupted and\nit is still worth doing it. So, let's refactor rb_check_pages() such that\nwe no longer clear and set flag during the list sanity checking.\n\n[1] and [2] are the test to reproduce and the crash report respectively.\n\n1:\n``` read_trace.sh\n while true;\n do\n # the \"trace\" file is closed after read\n head -1 /sys/kernel/tracing/trace > /dev/null\n done\n```\n``` repro.sh\n sysctl -w kernel.panic_on_warn=1\n # function tracer will writing enough data into ring_buffer\n echo function > /sys/kernel/tracing/current_tracer\n ./read_trace.sh &\n ./read_trace.sh &\n ./read_trace.sh &\n ./read_trace.sh &\n ./read_trace.sh &\n ./read_trace.sh &\n ./read_trace.sh &\n ./read_trace.sh &\n```\n\n2:\n------------[ cut here ]------------\nWARNING: CPU: 9 PID: 62 at kernel/trace/ring_buffer.c:2653\nrb_move_tail+0x450/0x470\nModules linked in:\nCPU: 9 PID: 62 Comm: ksoftirqd/9 Tainted: G W 6.2.0-rc6+\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nrel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014\nRIP: 0010:rb_move_tail+0x450/0x470\nCode: ff ff 4c 89 c8 f0 4d 0f b1 02 48 89 c2 48 83 e2 fc 49 39 d0 75 24\n83 e0 03 83 f8 02 0f 84 e1 fb ff ff 48 8b 57 10 f0 ff 42 08 <0f> 0b 83\nf8 02 0f 84 ce fb ff ff e9 db\nRSP: 0018:ffffb5564089bd00 EFLAGS: 00000203\nRAX: 0000000000000000 RBX: ffff9db385a2bf81 RCX: ffffb5564089bd18\nRDX: ffff9db281110100 RSI: 0000000000000fe4 RDI: ffff9db380145400\nRBP: ffff9db385a2bf80 R08: ffff9db385a2bfc0 R09: ffff9db385a2bfc2\nR10: ffff9db385a6c000 R11: ffff9db385a2bf80 R12: 0000000000000000\nR13: 00000000000003e8 R14: ffff9db281110100 R15: ffffffffbb006108\nFS: 0000000000000000(0000) GS:ffff9db3bdcc0000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005602323024c8 CR3: 0000000022e0c000 CR4: 00000000000006e0\nCall Trace:\n <TASK>\n ring_buffer_lock_reserve+0x136/0x360\n ? __do_softirq+0x287/0x2df\n ? __pfx_rcu_softirq_qs+0x10/0x10\n trace_function+0x21/0x110\n ? __pfx_rcu_softirq_qs+0x10/0x10\n ? __do_softirq+0x287/0x2df\n function_trace_call+0xf6/0x120\n 0xffffffffc038f097\n ? rcu_softirq_qs+0x5/0x140\n rcu_softirq_qs+0x5/0x140\n __do_softirq+0x287/0x2df\n run_ksoftirqd+0x2a/0x30\n smpboot_thread_fn+0x188/0x220\n ? __pfx_smpboot_thread_fn+0x10/0x10\n kthread+0xe7/0x110\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2c/0x50\n </TASK>\n---[ end trace 0000000000000000 ]---\n\n[ crash report and test reproducer credit goes to Zheng Yejian]"}], "id": "CVE-2023-53709", "lastModified": "2025-10-22T21:12:48.953", "metrics": {}, "published": "2025-10-22T14:15:45.510", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/09b1bf25f7f7a8f2bf8cd4278bba9c3172db8013"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6e02a43acd0691791df79ce538f2dd497a6c9b76"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8843e06f67b14f71c044bf6267b2387784c7e198"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9674390ac540ed06768e3fbc2dba553929fbd736"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d41db100bc386b9433a3fc87026f5e8b453653e3"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: ring-buffer: Handle race between rb_move_tail and rb_check_pages", "id": "2405758", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2405758"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2023-53709", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-10-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-53709\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53709\nhttps://lore.kernel.org/linux-cve-announce/2025102212-CVE-2023-53709-553a@gregkh/T"], "threat_severity": "Low"}

{"created": "2025-10-23T10:04:40.758464+00:00", "updated": "2025-10-23T10:04:40.758500+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}