CVE-2023-53427

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-53427
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53427.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-53427
Downstream
Related
Published
2025-09-18T16:04:08.917Z
Modified
2026-03-09T23:57:01.447111Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
cifs: Fix warning and UAF when destroy the MR list
Details

In the Linux kernel, the following vulnerability has been resolved:

cifs: Fix warning and UAF when destroy the MR list

If the MR allocate failed, the MR recovery work not initialized and list not cleared. Then will be warning and UAF when release the MR:

WARNING: CPU: 4 PID: 824 at kernel/workqueue.c:3066 __flush_work.isra.0+0xf7/0x110 CPU: 4 PID: 824 Comm: mount.cifs Not tainted 6.1.0-rc5+ #82 RIP: 0010:__flush_work.isra.0+0xf7/0x110 Call Trace: <TASK> __cancelworktimer+0x2ba/0x2e0 smbddestroy+0x4e1/0x990 smbdgetconnection+0x1cbd/0x2110 smbdgetconnection+0x21/0x40 cifsgettcpsession+0x8ef/0xda0 mountgetconns+0x60/0x750 cifsmount+0x103/0xd00 cifssmb3domount+0x1dd/0xcb0 smb3gettree+0x1d5/0x300 vfsgettree+0x41/0xf0 pathmount+0x9b3/0xdd0 __x64sysmount+0x190/0x1d0 dosyscall64+0x35/0x80 entrySYSCALL64afterhwframe+0x46/0xb0

BUG: KASAN: use-after-free in smbddestroy+0x4fc/0x990 Read of size 8 at addr ffff88810b156a08 by task mount.cifs/824 CPU: 4 PID: 824 Comm: mount.cifs Tainted: G W 6.1.0-rc5+ #82 Call Trace: dumpstacklvl+0x34/0x44 printreport+0x171/0x472 kasanreport+0xad/0x130 smbddestroy+0x4fc/0x990 smbdgetconnection+0x1cbd/0x2110 smbdgetconnection+0x21/0x40 cifsgettcpsession+0x8ef/0xda0 mountgetconns+0x60/0x750 cifsmount+0x103/0xd00 cifssmb3domount+0x1dd/0xcb0 smb3gettree+0x1d5/0x300 vfsgettree+0x41/0xf0 path_mount+0x9b3/0xdd0 __x64sysmount+0x190/0x1d0 dosyscall64+0x35/0x80 entrySYSCALL64afterhwframe+0x46/0xb0

Allocated by task 824: kasansavestack+0x1e/0x40 kasansettrack+0x21/0x30 __kasankmalloc+0x7a/0x90 smbdgetconnection+0x1b6f/0x2110 smbdgetconnection+0x21/0x40 cifsgettcpsession+0x8ef/0xda0 mountgetconns+0x60/0x750 cifsmount+0x103/0xd00 cifssmb3domount+0x1dd/0xcb0 smb3gettree+0x1d5/0x300 vfsgettree+0x41/0xf0 pathmount+0x9b3/0xdd0 __x64sysmount+0x190/0x1d0 dosyscall64+0x35/0x80 entrySYSCALL64afterhwframe+0x46/0xb0

Freed by task 824: kasansavestack+0x1e/0x40 kasansettrack+0x21/0x30 kasansavefree_info+0x2a/0x40 ____kasanslabfree+0x143/0x1b0 __kmemcachefree+0xc8/0x330 smbdgetconnection+0x1c6a/0x2110 smbdget_connection+0x21/0x40 cifsgettcpsession+0x8ef/0xda0 mountgetconns+0x60/0x750 cifsmount+0x103/0xd00 cifssmb3domount+0x1dd/0xcb0 smb3gettree+0x1d5/0x300 vfsgettree+0x41/0xf0 pathmount+0x9b3/0xdd0 __x64sysmount+0x190/0x1d0 dosyscall64+0x35/0x80 entrySYSCALL64afterhwframe+0x46/0xb0

Let's initialize the MR recovery work before MR allocate to prevent the warning, remove the MRs from the list to prevent the UAF.

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53427.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
c7398583340a6d82b8bb7f7f21edcde27dc6a898
Fixed
275a3d2b9408fc4895e342f772cab9a89960546e
Fixed
3524d6da0fe88aee79f06be6572955d16ad76b39
Fixed
cfd85a0922c4696d768965e686ad805a58d9d834
Fixed
7cbd5bdb5bd4404a5da4309521134b42c65846c0
Fixed
41832c62a75dad530dc5a2856c92ae5459d497e5
Fixed
2d0c4f5f618f58eba03385363717703bee873c64
Fixed
3e161c2791f8e661eed24a2c624087084d910215

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53427.json"