CVE-2023-53665
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-07

Last updated on: 2026-02-26

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: md: don't dereference mddev after export_rdev() Except for initial reference, mddev->kobject is referenced by rdev->kobject, and if the last rdev is freed, there is no guarantee that mddev is still valid. Hence mddev should not be used anymore after export_rdev(). This problem can be triggered by following test for mdadm at very low rate: New file: mdadm/tests/23rdev-lifetime devname=${dev0##*/} devt=`cat /sys/block/$devname/dev` pid="" runtime=2 clean_up_test() { pill -9 $pid echo clear > /sys/block/md0/md/array_state } trap 'clean_up_test' EXIT add_by_sysfs() { while true; do echo $devt > /sys/block/md0/md/new_dev done } remove_by_sysfs(){ while true; do echo remove > /sys/block/md0/md/dev-${devname}/state done } echo md0 > /sys/module/md_mod/parameters/new_array || die "create md0 failed" add_by_sysfs & pid="$pid $!" remove_by_sysfs & pid="$pid $!" sleep $runtime exit 0 Test cmd: ./test --save-logs --logdir=/tmp/ --keep-going --dev=loop --tests=23rdev-lifetime Test result: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6bcb: 0000 [#4] PREEMPT SMP CPU: 0 PID: 1292 Comm: test Tainted: G D W 6.5.0-rc2-00121-g01e55c376936 #562 RIP: 0010:md_wakeup_thread+0x9e/0x320 [md_mod] Call Trace: <TASK> mddev_unlock+0x1b6/0x310 [md_mod] rdev_attr_store+0xec/0x190 [md_mod] sysfs_kf_write+0x52/0x70 kernfs_fop_write_iter+0x19a/0x2a0 vfs_write+0x3b5/0x770 ksys_write+0x74/0x150 __x64_sys_write+0x22/0x30 do_syscall_64+0x40/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd Fix this problem by don't dereference mddev after export_rdev().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-07
Last Modified
2026-02-26
Generated
2026-05-07
AI Q&A
2025-10-07
EPSS Evaluated
2026-05-05
NVD
CVE-2023-53665
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.6
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in the Linux kernel's md (multiple device) subsystem occurs because the mddev object is dereferenced after the export_rdev() function, even though it may no longer be valid. Specifically, mddev->kobject is referenced by rdev->kobject, but if the last rdev is freed, mddev might have been freed as well, leading to a use-after-free scenario. This can cause a general protection fault or kernel crash when the invalid mddev is accessed. The issue can be triggered by rapidly adding and removing devices to mdadm arrays, as demonstrated by the provided test case. The fix involves ensuring mddev is not dereferenced after export_rdev().


How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to crash or experience a general protection fault, potentially leading to system instability or denial of service. If an attacker or a malfunctioning process triggers this bug by rapidly adding and removing devices from mdadm arrays, it could disrupt normal system operations, affecting availability.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by running the provided test for mdadm at a very low rate, which triggers the issue. The test involves repeatedly adding and removing devices via sysfs commands targeting /sys/block/md0/md/new_dev and /sys/block/md0/md/dev-<devname>/state. The specific test command is: ./test --save-logs --logdir=/tmp/ --keep-going --dev=loop --tests=23rdev-lifetime


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation is to apply the fix that avoids dereferencing mddev after export_rdev(), as the vulnerability arises from mddev being used after it may no longer be valid. This fix is implemented in the Linux kernel source to prevent the general protection fault.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart