{
  "threat_severity" : "Moderate",
  "public_date" : "2025-10-07T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: nvme-tcp: don't access released socket during error recovery",
    "id" : "2402186",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2402186"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.7",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-825",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnvme-tcp: don't access released socket during error recovery\nWhile the error recovery work is temporarily failing reconnect attempts,\nrunning the 'nvme list' command causes a kernel NULL pointer dereference\nby calling getsockname() with a released socket.\nDuring error recovery work, the nvme tcp socket is released and a new one\ncreated, so it is not safe to access the socket without proper check.", "A race condition leading to NULL pointer dereference was found in the Linux kernel NVMe-over-TCP driver's error recovery handling. A local user with privileges to execute NVMe management commands can run the 'nvme list' command while NVMe-over-TCP error recovery work is temporarily failing reconnect attempts and cycling sockets, causing the driver to call getsockname() on a released socket pointer, which results in a NULL pointer dereference and denial of service through kernel crash." ],
  "statement" : "The issue arises because of insufficient synchronization between error recovery operations and socket information queries. When an NVMe-over-TCP connection experiences errors, the error recovery work releases the existing socket and creates a new one to establish a fresh connection. During this transition, there is a window where the socket pointer may be NULL or point to freed memory. If userspace executes the 'nvme list' command during this window, the kernel attempts to gather connection information by calling getsockname() on the socket. Without proper validation, this results in dereferencing a NULL or invalid pointer, causing an immediate kernel crash. The race window is narrow, requiring error recovery to be actively cycling sockets when the list command executes. While this reliably causes crashes when the race is won, NULL pointer dereferences on modern kernels with SMAP/SMEP protections cannot be exploited for code execution or information disclosure, only denial of service.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53643\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53643\nhttps://lore.kernel.org/linux-cve-announce/2025100716-CVE-2023-53643-4725@gregkh/T" ],
  "name" : "CVE-2023-53643",
  "mitigation" : {
    "value" : "To mitigate this issue, prevent the nvme_tcp module from loading. See https://access.redhat.com/solutions/41278 for instructions on blacklisting kernel modules.",
    "lang" : "en:us"
  },
  "csaw" : false
}