CVE-2023-54269
- Source
- https://cve.org/CVERecord?id=CVE-2023-54269
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-54269.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2023-54269
- Downstream
- Related
- Published
- 2025-12-30T12:16:00.317Z
- Modified
- 2026-03-20T12:33:31.784270Z
- Summary
- SUNRPC: double free xprt_ctxt while still in use
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
SUNRPC: double free xprt_ctxt while still in use
When an RPC request is deferred, the rqxprtctxt pointer is moved out of the svcrqst into the svcdeferredreq. When the deferred request is revisited, the pointer is copied into the new svcrqst - and also remains in the svcdeferredreq.
In the (rare?) case that the request is deferred a second time, the old svcdeferredreq is reused - it still has all the correct content. However in that case the rqxprtctxt pointer is NOT cleared so that when xporeleasexprt is called, the ctxt is freed (UDP) or possible added to a free list (RDMA). When the deferred request is revisited for a second time, it will reference this ctxt which may be invalid, and the free the object a second time which is likely to oops.
So change svcdefer() to always clear rqxprtctxt, and assert that the value is now stored in the svcdeferred_req.
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54269.json" }- References
-
- https://git.kernel.org/stable/c/7851771789e87108a92697194105ef0c9307dc5e
- https://git.kernel.org/stable/c/e0c648627322a4c7e018e5c7f837c3c03e297dbb
- https://git.kernel.org/stable/c/eb8d3a2c809abd73ab0a060fe971d6b9019aa3c1
- https://git.kernel.org/stable/c/fd86534872f445f54dc01e7db001e25eadf063a8
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54269.json
- https://nvd.nist.gov/vuln/detail/CVE-2023-54269
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedf5e13d700a4d40ccde3d36e383f9247dcb3c1d2dFixed7851771789e87108a92697194105ef0c9307dc5e
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced773f91b2cf3f52df0d7508fdbf60f37567cdaee4Fixedfd86534872f445f54dc01e7db001e25eadf063a8Fixede0c648627322a4c7e018e5c7f837c3c03e297dbbFixedeb8d3a2c809abd73ab0a060fe971d6b9019aa3c1
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affected11fab500f86403b2ebf6795feeade6e10302e448