CVE-2023-54107
Unknown Unknown - Not Provided
Use-After-Free Vulnerability in Linux Kernel blk-cgroup Component

Publication date: 2025-12-24

Last updated on: 2025-12-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: dropping parent refcount after pd_free_fn() is done Some cgroup policies will access parent pd through child pd even after pd_offline_fn() is done. If pd_free_fn() for parent is called before child, then UAF can be triggered. Hence it's better to guarantee the order of pd_free_fn(). Currently refcount of parent blkg is dropped in __blkg_release(), which is before pd_free_fn() is called in blkg_free_work_fn() while blkg_free_work_fn() is called asynchronously. This patch make sure pd_free_fn() called from removing cgroup is ordered by delaying dropping parent refcount after calling pd_free_fn() for child. BTW, pd_free_fn() will also be called from blkcg_deactivate_policy() from deleting device, and following patches will guarantee the order.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-24
Last Modified
2025-12-24
Generated
2026-06-16
AI Q&A
2025-12-24
EPSS Evaluated
2026-06-14
NVD
CVE-2023-54107
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the Linux kernel involves a use-after-free (UAF) issue related to the blk-cgroup subsystem. Specifically, some cgroup policies access the parent's page directory (pd) through the child's pd even after the child's pd_offline_fn() has completed. If the parent's pd_free_fn() is called before the child's, it can trigger a UAF condition. The problem arises because the reference count of the parent block group (blkg) is dropped asynchronously before pd_free_fn() is called, leading to potential premature freeing. The fix ensures the correct order by delaying dropping the parent's refcount until after pd_free_fn() is called for the child, preventing the UAF.

Impact Analysis

This vulnerability can lead to a use-after-free condition in the Linux kernel's blk-cgroup subsystem, which may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or escalate privileges if exploited. Such kernel-level vulnerabilities can compromise system security and reliability.

Mitigation Strategies

To mitigate this vulnerability, update your Linux kernel to a version that includes the patch fixing the blk-cgroup parent refcount issue. This patch ensures the correct order of pd_free_fn() calls to prevent use-after-free conditions. Applying the latest kernel updates from your distribution or vendor is recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2023-54107. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart