{
  "threat_severity" : "Moderate",
  "public_date" : "2025-09-18T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: mm: kmem: fix a NULL pointer dereference in obj_stock_flush_required()",
    "id" : "2396417",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2396417"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-362",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmm: kmem: fix a NULL pointer dereference in obj_stock_flush_required()\nKCSAN found an issue in obj_stock_flush_required():\nstock->cached_objcg can be reset between the check and dereference:\n==================================================================\nBUG: KCSAN: data-race in drain_all_stock / drain_obj_stock\nwrite to 0xffff888237c2a2f8 of 8 bytes by task 19625 on cpu 0:\ndrain_obj_stock+0x408/0x4e0 mm/memcontrol.c:3306\nrefill_obj_stock+0x9c/0x1e0 mm/memcontrol.c:3340\nobj_cgroup_uncharge+0xe/0x10 mm/memcontrol.c:3408\nmemcg_slab_free_hook mm/slab.h:587 [inline]\n__cache_free mm/slab.c:3373 [inline]\n__do_kmem_cache_free mm/slab.c:3577 [inline]\nkmem_cache_free+0x105/0x280 mm/slab.c:3602\n__d_free fs/dcache.c:298 [inline]\ndentry_free fs/dcache.c:375 [inline]\n__dentry_kill+0x422/0x4a0 fs/dcache.c:621\ndentry_kill+0x8d/0x1e0\ndput+0x118/0x1f0 fs/dcache.c:913\n__fput+0x3bf/0x570 fs/file_table.c:329\n____fput+0x15/0x20 fs/file_table.c:349\ntask_work_run+0x123/0x160 kernel/task_work.c:179\nresume_user_mode_work include/linux/resume_user_mode.h:49 [inline]\nexit_to_user_mode_loop+0xcf/0xe0 kernel/entry/common.c:171\nexit_to_user_mode_prepare+0x6a/0xa0 kernel/entry/common.c:203\n__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]\nsyscall_exit_to_user_mode+0x26/0x140 kernel/entry/common.c:296\ndo_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\nread to 0xffff888237c2a2f8 of 8 bytes by task 19632 on cpu 1:\nobj_stock_flush_required mm/memcontrol.c:3319 [inline]\ndrain_all_stock+0x174/0x2a0 mm/memcontrol.c:2361\ntry_charge_memcg+0x6d0/0xd10 mm/memcontrol.c:2703\ntry_charge mm/memcontrol.c:2837 [inline]\nmem_cgroup_charge_skmem+0x51/0x140 mm/memcontrol.c:7290\nsock_reserve_memory+0xb1/0x390 net/core/sock.c:1025\nsk_setsockopt+0x800/0x1e70 net/core/sock.c:1525\nudp_lib_setsockopt+0x99/0x6c0 net/ipv4/udp.c:2692\nudp_setsockopt+0x73/0xa0 net/ipv4/udp.c:2817\nsock_common_setsockopt+0x61/0x70 net/core/sock.c:3668\n__sys_setsockopt+0x1c3/0x230 net/socket.c:2271\n__do_sys_setsockopt net/socket.c:2282 [inline]\n__se_sys_setsockopt net/socket.c:2279 [inline]\n__x64_sys_setsockopt+0x66/0x80 net/socket.c:2279\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\nvalue changed: 0xffff8881382d52c0 -> 0xffff888138893740\nReported by Kernel Concurrency Sanitizer on:\nCPU: 1 PID: 19632 Comm: syz-executor.0 Not tainted 6.3.0-rc2-syzkaller-00387-g534293368afa #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023\nFix it by using READ_ONCE()/WRITE_ONCE() for all accesses to\nstock->cached_objcg.", "A null pointer dereference exists in the linux kernel such that in obj_stock_flush_required():stock->cached_objcg can be reset between the check and dereference, resulting in damage to the availability of the system." ],
  "statement" : "A race in the memcg/objcg accounting allowed stock->cached_objcg to change between check and use, leading to a NULL pointer dereference and kernel crash under concurrency. The fix uses READ_ONCE/WRITE_ONCE for all accesses to cached_objcg, eliminating the data race observed by KCSAN. Impact is a local kernel DoS",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-12-08T00:00:00Z",
    "advisory" : "RHSA-2025:22800",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-553.89.1.rt7.430.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-12-08T00:00:00Z",
    "advisory" : "RHSA-2025:22801",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.89.1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
    "release_date" : "2026-01-14T00:00:00Z",
    "advisory" : "RHSA-2026:0533",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.4",
    "package" : "kernel-0:4.18.0-305.183.1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On",
    "release_date" : "2026-01-14T00:00:00Z",
    "advisory" : "RHSA-2026:0533",
    "cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.4",
    "package" : "kernel-0:4.18.0-305.183.1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
    "release_date" : "2026-01-14T00:00:00Z",
    "advisory" : "RHSA-2026:0536",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.6",
    "package" : "kernel-0:4.18.0-372.175.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
    "release_date" : "2026-01-14T00:00:00Z",
    "advisory" : "RHSA-2026:0536",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.6",
    "package" : "kernel-0:4.18.0-372.175.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
    "release_date" : "2026-01-14T00:00:00Z",
    "advisory" : "RHSA-2026:0536",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.6",
    "package" : "kernel-0:4.18.0-372.175.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service",
    "release_date" : "2025-12-17T00:00:00Z",
    "advisory" : "RHSA-2025:23427",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.8",
    "package" : "kernel-0:4.18.0-477.123.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
    "release_date" : "2025-12-17T00:00:00Z",
    "advisory" : "RHSA-2025:23427",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.8",
    "package" : "kernel-0:4.18.0-477.123.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-11-12T00:00:00Z",
    "advisory" : "RHSA-2024:9315",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-503.11.1.el9_5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-11-12T00:00:00Z",
    "advisory" : "RHSA-2024:9315",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-503.11.1.el9_5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2025-11-12T00:00:00Z",
    "advisory" : "RHSA-2025:21091",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0",
    "package" : "kernel-0:5.14.0-70.153.1.el9_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2025-11-12T00:00:00Z",
    "advisory" : "RHSA-2025:21136",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0::nfv",
    "package" : "kernel-rt-0:5.14.0-70.153.1.rt21.225.el9_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2025-11-12T00:00:00Z",
    "advisory" : "RHSA-2025:21051",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2",
    "package" : "kernel-0:5.14.0-284.146.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2025-11-12T00:00:00Z",
    "advisory" : "RHSA-2025:21128",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2::nfv",
    "package" : "kernel-rt-0:5.14.0-284.146.1.rt14.431.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2025-11-06T00:00:00Z",
    "advisory" : "RHSA-2025:19886",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4",
    "package" : "kernel-0:5.14.0-427.97.1.el9_4"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53401\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53401\nhttps://lore.kernel.org/linux-cve-announce/2025091800-CVE-2023-53401-b668@gregkh/T" ],
  "name" : "CVE-2023-53401",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}