CVE-2023-53586
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-04

Last updated on: 2026-03-23

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: scsi: target: Fix multiple LUN_RESET handling This fixes a bug where an initiator thinks a LUN_RESET has cleaned up running commands when it hasn't. The bug was added in commit 51ec502a3266 ("target: Delete tmr from list before processing"). The problem occurs when: 1. We have N I/O cmds running in the target layer spread over 2 sessions. 2. The initiator sends a LUN_RESET for each session. 3. session1's LUN_RESET loops over all the running commands from both sessions and moves them to its local drain_task_list. 4. session2's LUN_RESET does not see the LUN_RESET from session1 because the commit above has it remove itself. session2 also does not see any commands since the other reset moved them off the state lists. 5. sessions2's LUN_RESET will then complete with a successful response. 6. sessions2's inititor believes the running commands on its session are now cleaned up due to the successful response and cleans up the running commands from its side. It then restarts them. 7. The commands do eventually complete on the backend and the target starts to return aborted task statuses for them. The initiator will either throw a invalid ITT error or might accidentally lookup a new task if the ITT has been reallocated already. Fix the bug by reverting the patch, and serialize the execution of LUN_RESETs and Preempt and Aborts. Also prevent us from waiting on LUN_RESETs in core_tmr_drain_tmr_list, because it turns out the original patch fixed a bug that was not mentioned. For LUN_RESET1 core_tmr_drain_tmr_list can see a second LUN_RESET and wait on it. Then the second reset will run core_tmr_drain_tmr_list and see the first reset and wait on it resulting in a deadlock.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-04
Last Modified
2026-03-23
Generated
2026-05-07
AI Q&A
2025-10-04
EPSS Evaluated
2026-05-05
NVD
CVE-2023-53586
EUVD
EUVD-2025-32309
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.3 (inc) to 6.3.2 (exc)
linux linux_kernel From 6.2 (inc) to 6.2.15 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.28 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.111 (exc)
linux linux_kernel From 4.11 (inc) to 5.10.180 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-415 The product calls free() twice on the same memory address.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a bug in the Linux kernel's SCSI target layer related to handling multiple LUN_RESET commands across different sessions. When two sessions send LUN_RESET commands simultaneously, one session's reset moves running commands to a local list, causing the other session's reset to incorrectly believe all commands are cleaned up. This leads the initiator to mistakenly restart commands that are still running, resulting in errors such as invalid ITT errors or task lookup failures. The bug was introduced by a specific commit and fixed by reverting that commit and serializing LUN_RESET executions to prevent deadlocks.


How can this vulnerability impact me? :

This vulnerability can cause the initiator to incorrectly assume that running commands have been cleaned up after a LUN_RESET, leading to the restarting of commands that are still active. This can result in errors such as invalid ITT errors or accidental lookup of new tasks if ITT values have been reallocated. Ultimately, this can cause command processing errors and instability in SCSI target operations.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart