CVE-2023-54107
Unknown Unknown - Not Provided

Use-After-Free Vulnerability in Linux Kernel blk-cgroup Component

Vulnerability report for CVE-2023-54107, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-24

Last updated on: 2025-12-24

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: dropping parent refcount after pd_free_fn() is done Some cgroup policies will access parent pd through child pd even after pd_offline_fn() is done. If pd_free_fn() for parent is called before child, then UAF can be triggered. Hence it's better to guarantee the order of pd_free_fn(). Currently refcount of parent blkg is dropped in __blkg_release(), which is before pd_free_fn() is called in blkg_free_work_fn() while blkg_free_work_fn() is called asynchronously. This patch make sure pd_free_fn() called from removing cgroup is ordered by delaying dropping parent refcount after calling pd_free_fn() for child. BTW, pd_free_fn() will also be called from blkcg_deactivate_policy() from deleting device, and following patches will guarantee the order.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-24
Last Modified
2025-12-24
Generated
2026-07-06
AI Q&A
2025-12-25
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, update your Linux kernel to a version that includes the patch fixing the blk-cgroup parent refcount issue. This patch ensures the correct order of pd_free_fn() calls to prevent use-after-free conditions. Applying the latest kernel updates from your distribution or vendor is recommended.

Executive Summary

This vulnerability in the Linux kernel involves a use-after-free (UAF) issue related to the blk-cgroup subsystem. Specifically, some cgroup policies access the parent's page directory (pd) through the child's pd even after the child's pd_offline_fn() has completed. If the parent's pd_free_fn() is called before the child's, it can trigger a UAF condition. The problem arises because the reference count of the parent block group (blkg) is dropped asynchronously before pd_free_fn() is called, leading to potential premature freeing. The fix ensures the correct order by delaying dropping the parent's refcount until after pd_free_fn() is called for the child, preventing the UAF.

Impact Analysis

This vulnerability can lead to a use-after-free condition in the Linux kernel's blk-cgroup subsystem, which may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or escalate privileges if exploited. Such kernel-level vulnerabilities can compromise system security and reliability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2023-54107. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart