{ "threat_severity" : "Moderate", "public_date" : "2025-12-09T00:00:00Z", "bugzilla" : { "description" : "kernel: md/raid10: fix null-ptr-deref in raid10_sync_request", "id" : "2420309", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2420309" }, "cvss3" : { "cvss3_base_score" : "4.7", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-908", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmd/raid10: fix null-ptr-deref in raid10_sync_request\ninit_resync() inits mempool and sets conf->have_replacemnt at the beginning\nof sync, close_sync() frees the mempool when sync is completed.\nAfter [1] recovery might be skipped and init_resync() is called but\nclose_sync() is not. null-ptr-deref occurs with r10bio->dev[i].repl_bio.\nThe following is one way to reproduce the issue.\n1) create a array, wait for resync to complete, mddev->recovery_cp is set\nto MaxSector.\n2) recovery is woken and it is skipped. conf->have_replacement is set to\n0 in init_resync(). close_sync() not called.\n3) some io errors and rdev A is set to WantReplacement.\n4) a new device is added and set to A's replacement.\n5) recovery is woken, A have replacement, but conf->have_replacemnt is\n0. r10bio->dev[i].repl_bio will not be alloced and null-ptr-deref\noccurs.\nFix it by not calling init_resync() if recovery skipped.\n[1] commit 7e83ccbecd60 (\"md/raid10: Allow skipping recovery when clean arrays are assembled\")", "A null pointer dereference flaw was found in the Linux kernel's RAID10 implementation. When recovery is skipped on a clean array, init_resync() is called but close_sync() is not, leaving conf->have_replacement incorrectly set to 0. If a replacement device is later added and recovery is triggered, repl_bio is not allocated, causing a null pointer dereference when accessed." ], "statement" : "Exploitation requires specific RAID10 array operations including adding replacement devices after skipped recovery cycles. This represents a reliability issue for systems using RAID10 with device replacement workflows.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2023-11-14T00:00:00Z", "advisory" : "RHSA-2023:7077", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-513.5.1.el8_9" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date" : "2023-11-28T00:00:00Z", "advisory" : "RHSA-2023:7539", "cpe" : "cpe:/o:redhat:rhel_eus:8.8", "package" : "kernel-0:4.18.0-477.36.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53832\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53832\nhttps://lore.kernel.org/linux-cve-announce/2025120954-CVE-2023-53832-6d46@gregkh/T" ], "name" : "CVE-2023-53832", "csaw" : false }