{ "threat_severity" : "Moderate", "public_date" : "2025-10-01T00:00:00Z", "bugzilla" : { "description" : "kernel: nbd: fix incomplete validation of ioctl arg", "id" : "2400795", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2400795" }, "cvss3" : { "cvss3_base_score" : "7.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H", "status" : "verified" }, "cwe" : "CWE-190", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnbd: fix incomplete validation of ioctl arg\nWe tested and found an alarm caused by nbd_ioctl arg without verification.\nThe UBSAN warning calltrace like below:\nUBSAN: Undefined behaviour in fs/buffer.c:1709:35\nsigned integer overflow:\n-9223372036854775808 - 1 cannot be represented in type 'long long int'\nCPU: 3 PID: 2523 Comm: syz-executor.0 Not tainted 4.19.90 #1\nHardware name: linux,dummy-virt (DT)\nCall trace:\ndump_backtrace+0x0/0x3f0 arch/arm64/kernel/time.c:78\nshow_stack+0x28/0x38 arch/arm64/kernel/traps.c:158\n__dump_stack lib/dump_stack.c:77 [inline]\ndump_stack+0x170/0x1dc lib/dump_stack.c:118\nubsan_epilogue+0x18/0xb4 lib/ubsan.c:161\nhandle_overflow+0x188/0x1dc lib/ubsan.c:192\n__ubsan_handle_sub_overflow+0x34/0x44 lib/ubsan.c:206\n__block_write_full_page+0x94c/0xa20 fs/buffer.c:1709\nblock_write_full_page+0x1f0/0x280 fs/buffer.c:2934\nblkdev_writepage+0x34/0x40 fs/block_dev.c:607\n__writepage+0x68/0xe8 mm/page-writeback.c:2305\nwrite_cache_pages+0x44c/0xc70 mm/page-writeback.c:2240\ngeneric_writepages+0xdc/0x148 mm/page-writeback.c:2329\nblkdev_writepages+0x2c/0x38 fs/block_dev.c:2114\ndo_writepages+0xd4/0x250 mm/page-writeback.c:2344\nThe reason for triggering this warning is __block_write_full_page()\n-> i_size_read(inode) - 1 overflow.\ninode->i_size is assigned in __nbd_ioctl() -> nbd_set_size() -> bytesize.\nWe think it is necessary to limit the size of arg to prevent errors.\nMoreover, __nbd_ioctl() -> nbd_add_socket(), arg will be cast to int.\nAssuming the value of arg is 0x80000000000000001) (on a 64-bit machine),\nit will become 1 after the coercion, which will return unexpected results.\nFix it by adding checks to prevent passing in too large numbers.", "A flaw has been found in the Linux kernel’s NBD drivers.The issue stems from incomplete validation of IOCTL arguments passed to the NBD driver. Specifically, oversized or unchecked arguments may lead to a signed integer overflow in __block_write_full_page() and misuse of argument values cast to int in nbd_add_socket()." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-12-01T00:00:00Z", "advisory" : "RHSA-2025:22387", "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv", "package" : "kernel-rt-0:4.18.0-553.87.1.rt7.428.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-12-01T00:00:00Z", "advisory" : "RHSA-2025:22388", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.87.1.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date" : "2026-02-26T00:00:00Z", "advisory" : "RHSA-2026:3388", "cpe" : "cpe:/o:redhat:rhel_aus:8.2", "package" : "kernel-0:4.18.0-193.187.1.el8_2" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date" : "2026-01-14T00:00:00Z", "advisory" : "RHSA-2026:0533", "cpe" : "cpe:/o:redhat:rhel_aus:8.4", "package" : "kernel-0:4.18.0-305.183.1.el8_4" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On", "release_date" : "2026-01-14T00:00:00Z", "advisory" : "RHSA-2026:0533", "cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.4", "package" : "kernel-0:4.18.0-305.183.1.el8_4" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date" : "2026-01-14T00:00:00Z", "advisory" : "RHSA-2026:0536", "cpe" : "cpe:/o:redhat:rhel_aus:8.6", "package" : "kernel-0:4.18.0-372.175.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date" : "2026-01-14T00:00:00Z", "advisory" : "RHSA-2026:0536", "cpe" : "cpe:/o:redhat:rhel_tus:8.6", "package" : "kernel-0:4.18.0-372.175.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2026-01-14T00:00:00Z", "advisory" : "RHSA-2026:0536", "cpe" : "cpe:/o:redhat:rhel_e4s:8.6", "package" : "kernel-0:4.18.0-372.175.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service", "release_date" : "2026-01-14T00:00:00Z", "advisory" : "RHSA-2026:0532", "cpe" : "cpe:/o:redhat:rhel_tus:8.8", "package" : "kernel-0:4.18.0-477.124.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "release_date" : "2026-01-14T00:00:00Z", "advisory" : "RHSA-2026:0532", "cpe" : "cpe:/o:redhat:rhel_e4s:8.8", "package" : "kernel-0:4.18.0-477.124.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2025-12-17T00:00:00Z", "advisory" : "RHSA-2025:23426", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0", "package" : "kernel-0:5.14.0-70.158.1.el9_0" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2025-12-17T00:00:00Z", "advisory" : "RHSA-2025:23424", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0::nfv", "package" : "kernel-rt-0:5.14.0-70.158.1.rt21.230.el9_0" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2025-11-25T00:00:00Z", "advisory" : "RHSA-2025:22095", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2", "package" : "kernel-0:5.14.0-284.148.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2025-11-25T00:00:00Z", "advisory" : "RHSA-2025:22124", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2::nfv", "package" : "kernel-rt-0:5.14.0-284.148.1.rt14.433.el9_2" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53513\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53513\nhttps://lore.kernel.org/linux-cve-announce/2025100130-CVE-2023-53513-4667@gregkh/T" ], "name" : "CVE-2023-53513", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }