{ "threat_severity" : "Low", "public_date" : "2025-12-24T00:00:00Z", "bugzilla" : { "description" : "kernel: ceph: fix potential use-after-free bug when trimming caps", "id" : "2424984", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2424984" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-367", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nceph: fix potential use-after-free bug when trimming caps\nWhen trimming the caps and just after the 'session->s_cap_lock' is\nreleased in ceph_iterate_session_caps() the cap maybe removed by\nanother thread, and when using the stale cap memory in the callbacks\nit will trigger use-after-free crash.\nWe need to check the existence of the cap just after the 'ci->i_ceph_lock'\nbeing acquired. And do nothing if it's already removed.", "A use-after-free vulnerability was found in the Linux kernel's Ceph filesystem client. When iterating over session caps in ceph_iterate_session_caps(), the session->s_cap_lock is released temporarily, allowing another thread to remove the cap. If the cap is freed while the iteration continues, subsequent callback functions access stale memory, causing a use-after-free condition and potential kernel crash." ], "statement" : "This flaw affects systems using CephFS (Ceph filesystem) mounts. The race condition occurs during cap trimming operations when multiple threads interact with the same Ceph session. Exploitation requires concurrent operations on CephFS mounts, making it timing-dependent but potentially triggerable under normal workloads with multiple processes accessing the same filesystem.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-05-22T00:00:00Z", "advisory" : "RHSA-2024:3138", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53867\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53867\nhttps://lore.kernel.org/linux-cve-announce/2025122422-CVE-2023-53867-cb3e@gregkh/T" ], "name" : "CVE-2023-53867", "csaw" : false }