CVE-2023-52935
- Source
- https://cve.org/CVERecord?id=CVE-2023-52935
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-52935.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2023-52935
- Downstream
- Related
- Published
- 2025-03-27T16:37:15.505Z
- Modified
- 2026-03-20T12:30:33.637434Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- mm/khugepaged: fix ->anon_vma race
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
mm/khugepaged: fix ->anon_vma race
If an ->anonvma is attached to the VMA, collapseandfreepmd() requires it to be locked.
Page table traversal is allowed under any one of the mmap lock, the anonvma lock (if the VMA is associated with an anonvma), and the mapping lock (if the VMA is associated with a mapping); and so to be able to remove page tables, we must hold all three of them. retractpagetables() bails out if an ->anon_vma is attached, but does this check before holding the mmap lock (as the comment above the check explains).
If we racily merged an existing ->anon_vma (shared with a child process) from a neighboring VMA, subsequent rmap traversals on pages belonging to the child will be able to see the page tables that we are concurrently removing while assuming that nothing else can access them.
Repeat the ->anon_vma check once we hold the mmap lock to ensure that there really is no concurrent page table access.
Hitting this bug causes a lockdep warning in collapseandfreepmd(), in the line "lockdepassertheldwrite(&vma->anon_vma->root->rwsem)". It can also lead to use-after-free access.
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/52xxx/CVE-2023-52935.json" }- References
-
- https://git.kernel.org/stable/c/023f47a8250c6bdb4aebe744db4bf7f73414028b
- https://git.kernel.org/stable/c/352fbf61ce776fef18dca6a68680a6cd943dac95
- https://git.kernel.org/stable/c/abdf3c33918185c3e8ffeb09ed3e334b3d7df47c
- https://git.kernel.org/stable/c/acb08187b5a83cdb9ac4112fae9e18cf983b0128
- https://git.kernel.org/stable/c/cee956ab1efbd858b4ca61c8b474af5aa24b29a6
- https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/52xxx/CVE-2023-52935.json
- https://nvd.nist.gov/vuln/detail/CVE-2023-52935
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedf3f0e1d2150b2b99da2cbdfaad000089efe9bf30Fixed352fbf61ce776fef18dca6a68680a6cd943dac95Fixedcee956ab1efbd858b4ca61c8b474af5aa24b29a6Fixedabdf3c33918185c3e8ffeb09ed3e334b3d7df47cFixedacb08187b5a83cdb9ac4112fae9e18cf983b0128Fixed023f47a8250c6bdb4aebe744db4bf7f73414028b