CVE-2023-53421
Modified Modified - Updated After Analysis
BaseFortify

Publication date: 2025-09-18

Last updated on: 2026-06-01

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: Reinit blkg_iostat_set after clearing in blkcg_reset_stats() When blkg_alloc() is called to allocate a blkcg_gq structure with the associated blkg_iostat_set's, there are 2 fields within blkg_iostat_set that requires proper initialization - blkg & sync. The former field was introduced by commit 3b8cc6298724 ("blk-cgroup: Optimize blkcg_rstat_flush()") while the later one was introduced by commit f73316482977 ("blk-cgroup: reimplement basic IO stats using cgroup rstat"). Unfortunately those fields in the blkg_iostat_set's are not properly re-initialized when they are cleared in v1's blkcg_reset_stats(). This can lead to a kernel panic due to NULL pointer access of the blkg pointer. The missing initialization of sync is less problematic and can be a problem in a debug kernel due to missing lockdep initialization. Fix these problems by re-initializing them after memory clearing.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-18
Last Modified
2026-06-01
Generated
2026-06-16
AI Q&A
2025-09-18
EPSS Evaluated
2026-06-15
NVD
CVE-2023-53421
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 5.5 (inc) to 6.3.13 (exc)
linux linux_kernel From 6.4 (inc) to 6.4.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in the Linux kernel's blk-cgroup subsystem. When allocating a blkcg_gq structure, two fields within the associated blkg_iostat_set (blkg and sync) are not properly re-initialized after being cleared. This improper re-initialization can lead to a kernel panic caused by a NULL pointer access of the blkg pointer. The sync field's missing initialization is less severe but can cause issues in debug kernels due to missing lockdep initialization. The issue is fixed by ensuring these fields are re-initialized after memory clearing.

Impact Analysis

This vulnerability can cause a kernel panic in the Linux system, leading to system crashes or instability. This can disrupt normal operations, potentially causing downtime or data loss depending on the environment where the kernel is running.

Mitigation Strategies

To mitigate this vulnerability, update your Linux kernel to a version that includes the fix for the blk-cgroup issue where blkg_iostat_set fields are properly re-initialized after clearing. This will prevent kernel panic due to NULL pointer access. Avoid running debug kernels that might expose additional issues related to missing lockdep initialization until patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2023-53421. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart