{
  "threat_severity" : "Moderate",
  "public_date" : "2025-10-04T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: scsi: target: Fix multiple LUN_RESET handling",
    "id" : "2401541",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2401541"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-821",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nscsi: target: Fix multiple LUN_RESET handling\nThis fixes a bug where an initiator thinks a LUN_RESET has cleaned up\nrunning commands when it hasn't. The bug was added in commit 51ec502a3266\n(\"target: Delete tmr from list before processing\").\nThe problem occurs when:\n1. We have N I/O cmds running in the target layer spread over 2 sessions.\n2. The initiator sends a LUN_RESET for each session.\n3. session1's LUN_RESET loops over all the running commands from both\nsessions and moves them to its local drain_task_list.\n4. session2's LUN_RESET does not see the LUN_RESET from session1 because\nthe commit above has it remove itself. session2 also does not see any\ncommands since the other reset moved them off the state lists.\n5. sessions2's LUN_RESET will then complete with a successful response.\n6. sessions2's inititor believes the running commands on its session are\nnow cleaned up due to the successful response and cleans up the running\ncommands from its side. It then restarts them.\n7. The commands do eventually complete on the backend and the target\nstarts to return aborted task statuses for them. The initiator will\neither throw a invalid ITT error or might accidentally lookup a new\ntask if the ITT has been reallocated already.\nFix the bug by reverting the patch, and serialize the execution of\nLUN_RESETs and Preempt and Aborts.\nAlso prevent us from waiting on LUN_RESETs in core_tmr_drain_tmr_list,\nbecause it turns out the original patch fixed a bug that was not\nmentioned. For LUN_RESET1 core_tmr_drain_tmr_list can see a second\nLUN_RESET and wait on it. Then the second reset will run\ncore_tmr_drain_tmr_list and see the first reset and wait on it resulting in\na deadlock.", "A race condition flaw was found in the Linux kernel SCSI target subsystem's LUN_RESET handling. When multiple remote initiator sessions send concurrent LUN_RESET commands, one session's reset can incorrectly drain commands from another session, causing the second session to receive a successful reset response even though its commands weren't cleaned up, which results in the initiator reissuing commands while the old ones are still executing and leads to command confusion and potential data integrity issues." ],
  "statement" : "The issue arises because LUN_RESET operations from different sessions aren't properly serialized. When session1's LUN_RESET begins processing, it moves all running commands (from both sessions) to its local drain_task_list. Meanwhile, session2's LUN_RESET doesn't see session1's reset operation (because it removed itself from the TMR list) and doesn't see any commands (because session1 moved them). Session2 then incorrectly reports success to its initiator. The initiator believes its commands are aborted and reissues them, but the backend eventually completes the original commands, returning aborted task statuses. The initiator then encounters invalid ITT errors or accidentally looks up reused ITTs. This can cause I/O errors and potential data corruption if reissued commands overlap with still-executing original commands. The race requires precise timing between multiple sessions sending LUN_RESET commands concurrently.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-05-22T00:00:00Z",
    "advisory" : "RHSA-2024:3138",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2394",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.13.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2394",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.13.1.el9_4"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53586\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53586\nhttps://lore.kernel.org/linux-cve-announce/2025100425-CVE-2023-53586-67e1@gregkh/T" ],
  "name" : "CVE-2023-53586",
  "csaw" : false
}