{ "threat_severity" : "Moderate", "public_date" : "2025-12-09T00:00:00Z", "bugzilla" : { "description" : "kernel: blk-mq: release crypto keyslot before reporting I/O complete", "id" : "2420280", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2420280" }, "cvss3" : { "cvss3_base_score" : "4.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "status" : "verified" }, "cwe" : "CWE-416", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nblk-mq: release crypto keyslot before reporting I/O complete\nOnce all I/O using a blk_crypto_key has completed, filesystems can call\nblk_crypto_evict_key(). However, the block layer currently doesn't call\nblk_crypto_put_keyslot() until the request is being freed, which happens\nafter upper layers have been told (via bio_endio()) the I/O has\ncompleted. This causes a race condition where blk_crypto_evict_key()\ncan see 'slot_refs != 0' without there being an actual bug.\nThis makes __blk_crypto_evict_key() hit the\n'WARN_ON_ONCE(atomic_read(&slot->slot_refs) != 0)' and return without\ndoing anything, eventually causing a use-after-free in\nblk_crypto_reprogram_all_keys(). (This is a very rare bug and has only\nbeen seen when per-file keys are being used with fscrypt.)\nThere are two options to fix this: either release the keyslot before\nbio_endio() is called on the request's last bio, or make\n__blk_crypto_evict_key() ignore slot_refs. Let's go with the first\nsolution, since it preserves the ability to report bugs (via\nWARN_ON_ONCE) where a key is evicted while still in-use.", "A flaw was identified in the block multi-queue (blk-mq) subsystem of the Linux kernel where the crypto keyslot associated with a block I/O request could be released after upper layers have been notified that the I/O operation completed. Under certain conditions, this could lead to a use-after-free of the crypto keyslot object if a filesystem segment attempts to evict a crypto key while I/O is still effectively using it." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53810\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53810\nhttps://lore.kernel.org/linux-cve-announce/2025120944-CVE-2023-53810-e48e@gregkh/T" ], "name" : "CVE-2023-53810", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }