{
  "threat_severity" : "Low",
  "public_date" : "2025-10-04T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: bpf, cpumap: Make sure kthread is running before map update returns",
    "id" : "2401573",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2401573"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-367",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nbpf, cpumap: Make sure kthread is running before map update returns\nThe following warning was reported when running stress-mode enabled\nxdp_redirect_cpu with some RT threads:\n------------[ cut here ]------------\nWARNING: CPU: 4 PID: 65 at kernel/bpf/cpumap.c:135\nCPU: 4 PID: 65 Comm: kworker/4:1 Not tainted 6.5.0-rc2+ #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996)\nWorkqueue: events cpu_map_kthread_stop\nRIP: 0010:put_cpu_map_entry+0xda/0x220\n......\nCall Trace:\n<TASK>\n? show_regs+0x65/0x70\n? __warn+0xa5/0x240\n......\n? put_cpu_map_entry+0xda/0x220\ncpu_map_kthread_stop+0x41/0x60\nprocess_one_work+0x6b0/0xb80\nworker_thread+0x96/0x720\nkthread+0x1a5/0x1f0\nret_from_fork+0x3a/0x70\nret_from_fork_asm+0x1b/0x30\n</TASK>\nThe root cause is the same as commit 436901649731 (\"bpf: cpumap: Fix memory\nleak in cpu_map_update_elem\"). The kthread is stopped prematurely by\nkthread_stop() in cpu_map_kthread_stop(), and kthread() doesn't call\ncpu_map_kthread_run() at all but XDP program has already queued some\nframes or skbs into ptr_ring. So when __cpu_map_ring_cleanup() checks\nthe ptr_ring, it will find it was not emptied and report a warning.\nAn alternative fix is to use __cpu_map_ring_cleanup() to drop these\npending frames or skbs when kthread_stop() returns -EINTR, but it may\nconfuse the user, because these frames or skbs have been handled\ncorrectly by XDP program. So instead of dropping these frames or skbs,\njust make sure the per-cpu kthread is running before\n__cpu_map_entry_alloc() returns.\nAfter apply the fix, the error handle for kthread_stop() will be\nunnecessary because it will always return 0, so just remove it.", "A race condition was found in the Linux kernel's BPF cpumap implementation in the kthread lifecycle management. \nA local user can trigger this issue by running XDP redirect operations when the per-CPU kthread is stopped prematurely before processing queued frames, causing the cleanup code to find a non-empty ptr_ring and report warnings. This results in kernel warnings and denial of service through system instability." ],
  "statement" : "The cpumap uses per-CPU kthreads to process XDP redirected packets. When a CPU map entry is being removed, kthread_stop is called which can return -EINTR if the thread hasn't fully started yet. Meanwhile, XDP programs may have already queued frames into the ptr_ring. The __cpu_map_ring_cleanup function expects the ring to be empty when called, but with the prematurely stopped kthread, queued frames remain unprocessed. This creates a state where frames were correctly handled by the XDP program but never consumed by the kthread, leading to warnings about non-empty rings. The fix ensures the kthread is fully running before allowing map updates to complete, preventing the race.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-05-22T00:00:00Z",
    "advisory" : "RHSA-2024:3138",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2394",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.13.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2394",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.13.1.el9_4"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53577\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53577\nhttps://lore.kernel.org/linux-cve-announce/2025100455-CVE-2023-53577-96e9@gregkh/T" ],
  "name" : "CVE-2023-53577",
  "csaw" : false
}