{ "threat_severity" : "Moderate", "public_date" : "2025-10-01T00:00:00Z", "bugzilla" : { "description" : "kernel: crypto: xts - Handle EBUSY correctly", "id" : "2400777", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2400777" }, "cvss3" : { "cvss3_base_score" : "7.8", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-664", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ncrypto: xts - Handle EBUSY correctly\nAs it is xts only handles the special return value of EINPROGRESS,\nwhich means that in all other cases it will free data related to the\nrequest.\nHowever, as the caller of xts may specify MAY_BACKLOG, we also need\nto expect EBUSY and treat it in the same way. Otherwise backlogged\nrequests will trigger a use-after-free.", "A flaw use after free in the Linux kernel XTS (XOR Encrypt XOR with ciphertext stealing) crypto Kernel module was found in the way privileges user triggers XTS crypto API in specific way.\nA local user could use this flaw to crash the system or potentially escalate their privileges on the system." ], "statement" : "The patch fixes a use-after-free in the XTS skcipher template where -EBUSY from the crypto backend (with MAY_BACKLOG) was not treated like -EINPROGRESS, causing request data to be freed while still referenced.\nImpact is kernel memory corruption (high integrity/availability impact).\nFor the CVSS the PR:L because triggering requires the ability to invoke kernel crypto operations (e.g., via AF_ALG skcipher XTS) and craft conditions that lead to a backlogged request.\nNote: In a standard Linux installation, this vulnerability can only be triggered by the root user, since access to the kernel crypto API (e.g., via AF_ALG sockets or device-mapper targets using XTS mode) requires CAP_SYS_ADMIN privileges.\nHowever, in specific environments such as containers or sandboxed setups where unprivileged users are granted CAP_SYS_ADMIN (or equivalent capabilities), a non-root user within that environment may also be able to exploit the issue.\nIn hardened setups where AF_ALG is restricted, this path may be limited to privileged users.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-11-03T00:00:00Z", "advisory" : "RHSA-2025:19409", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.60.1.el9_6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-11-12T00:00:00Z", "advisory" : "RHSA-2025:21112", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-611.7.1.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-11-03T00:00:00Z", "advisory" : "RHSA-2025:19409", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.60.1.el9_6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-11-12T00:00:00Z", "advisory" : "RHSA-2025:21112", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-611.7.1.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2025-11-12T00:00:00Z", "advisory" : "RHSA-2025:21091", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0", "package" : "kernel-0:5.14.0-70.153.1.el9_0" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2025-11-12T00:00:00Z", "advisory" : "RHSA-2025:21136", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0::nfv", "package" : "kernel-rt-0:5.14.0-70.153.1.rt21.225.el9_0" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2025-11-12T00:00:00Z", "advisory" : "RHSA-2025:21051", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2", "package" : "kernel-0:5.14.0-284.146.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2025-11-12T00:00:00Z", "advisory" : "RHSA-2025:21128", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2::nfv", "package" : "kernel-rt-0:5.14.0-284.146.1.rt14.431.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2025-11-19T00:00:00Z", "advisory" : "RHSA-2025:21760", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "kernel-0:5.14.0-427.100.1.el9_4" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53494\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53494\nhttps://lore.kernel.org/linux-cve-announce/2025100124-CVE-2023-53494-6542@gregkh/T" ], "name" : "CVE-2023-53494", "mitigation" : { "value" : "To mitigate this issue, prevent module xts from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.", "lang" : "en:us" }, "csaw" : false }