Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2023-53469

Опубликовано: 01 окт. 2025
Источник: redhat
CVSS3: 4.7

Описание

No description is available for this CVE.

Отчет

The patch fixes a race in unix_stream_sendpage() where the function accessed the peer’s receive queue without locking, leading to a potential Use-After-Free and null-ptr-deref during concurrent garbage collection. The issue results in kernel panic (DoS) with no confidentiality or integrity impact. For the CVSS the PR:L / AC:H since triggering requires local code capable of creating interconnected AF_UNIX sockets and precise timing to race with garbage collection process.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 10kernelNot affected
Red Hat Enterprise Linux 6kernelOut of support scope
Red Hat Enterprise Linux 7kernelFix deferred
Red Hat Enterprise Linux 7kernel-rtFix deferred
Red Hat Enterprise Linux 8kernelFix deferred
Red Hat Enterprise Linux 8kernel-rtFix deferred
Red Hat Enterprise Linux 9kernelFix deferred
Red Hat Enterprise Linux 9kernel-rtFix deferred

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-362
https://bugzilla.redhat.com/show_bug.cgi?id=2400775kernel: af_unix: Fix null-ptr-deref in unix_stream_sendpage()

4.7 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2023-53469

ubuntu
5 месяцев назад

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

nvd логотип

CVE-2023-53469

nvd
5 месяцев назад

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

msrc логотип

CVE-2023-53469

msrc
5 месяцев назад

af_unix: Fix null-ptr-deref in unix_stream_sendpage().

github логотип

GHSA-8r69-gc7h-5h9c

github
5 месяцев назад

In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix null-ptr-deref in unix_stream_sendpage(). Bing-Jhong Billy Jheng reported null-ptr-deref in unix_stream_sendpage() with detailed analysis and a nice repro. unix_stream_sendpage() tries to add data to the last skb in the peer's recv queue without locking the queue. If the peer's FD is passed to another socket and the socket's FD is passed to the peer, there is a loop between them. If we close both sockets without receiving FD, the sockets will be cleaned up by garbage collection. The garbage collection iterates such sockets and unlinks skb with FD from the socket's receive queue under the queue's lock. So, there is a race where unix_stream_sendpage() could access an skb locklessly that is being released by garbage collection, resulting in use-after-free. To avoid the issue, unix_stream_sendpage() must lock the peer's recv queue. Note the issue does not exist in 6.5+ thanks to the recent sendpage...

4.7 Medium

CVSS3