{
  "threat_severity" : "Moderate",
  "public_date" : "2025-12-24T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: Linux kernel: Information disclosure in VFIO Type1 module via uninitialized stack memory",
    "id" : "2425187",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2425187"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-908",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nvfio/type1: fix cap_migration information leak\nFix an information leak where an uninitialized hole in struct\nvfio_iommu_type1_info_cap_migration on the stack is exposed to userspace.\nThe definition of struct vfio_iommu_type1_info_cap_migration contains a hole as\nshown in this pahole(1) output:\nstruct vfio_iommu_type1_info_cap_migration {\nstruct vfio_info_cap_header header;              /*     0     8 */\n__u32                      flags;                /*     8     4 */\n/* XXX 4 bytes hole, try to pack */\n__u64                      pgsize_bitmap;        /*    16     8 */\n__u64                      max_dirty_bitmap_size; /*    24     8 */\n/* size: 32, cachelines: 1, members: 4 */\n/* sum members: 28, holes: 1, sum holes: 4 */\n/* last cacheline: 32 bytes */\n};\nThe cap_mig variable is filled in without initializing the hole:\nstatic int vfio_iommu_migration_build_caps(struct vfio_iommu *iommu,\nstruct vfio_info_cap *caps)\n{\nstruct vfio_iommu_type1_info_cap_migration cap_mig;\ncap_mig.header.id = VFIO_IOMMU_TYPE1_INFO_CAP_MIGRATION;\ncap_mig.header.version = 1;\ncap_mig.flags = 0;\n/* support minimum pgsize */\ncap_mig.pgsize_bitmap = (size_t)1 << __ffs(iommu->pgsize_bitmap);\ncap_mig.max_dirty_bitmap_size = DIRTY_BITMAP_SIZE_MAX;\nreturn vfio_info_add_capability(caps, &cap_mig.header, sizeof(cap_mig));\n}\nThe structure is then copied to a temporary location on the heap. At this point\nit's already too late and ioctl(VFIO_IOMMU_GET_INFO) copies it to userspace\nlater:\nint vfio_info_add_capability(struct vfio_info_cap *caps,\nstruct vfio_info_cap_header *cap, size_t size)\n{\nstruct vfio_info_cap_header *header;\nheader = vfio_info_cap_add(caps, size, cap->id, cap->version);\nif (IS_ERR(header))\nreturn PTR_ERR(header);\nmemcpy(header + 1, cap + 1, size - sizeof(*header));\nreturn 0;\n}\nThis issue was found by code inspection.", "A flaw was found in the Linux kernel's Virtual Function I/O (VFIO) Type1 module. This vulnerability allows a local user to expose uninitialized kernel stack memory to userspace, leading to information disclosure. The flaw occurs because a specific data structure, vfio_iommu_type1_info_cap_migration, contains an uninitialized memory region that is copied to userspace." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2394",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.13.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2394",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.13.1.el9_4"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-54137\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-54137\nhttps://lore.kernel.org/linux-cve-announce/2025122422-CVE-2023-54137-1873@gregkh/T" ],
  "name" : "CVE-2023-54137",
  "csaw" : false
}