{
  "threat_severity" : "Low",
  "public_date" : "2025-12-30T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: keys: Fix linking a duplicate key to a keyring's assoc_array",
    "id" : "2426038",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2426038"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-821",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nkeys: Fix linking a duplicate key to a keyring's assoc_array\nWhen making a DNS query inside the kernel using dns_query(), the request\ncode can in rare cases end up creating a duplicate index key in the\nassoc_array of the destination keyring. It is eventually found by\na BUG_ON() check in the assoc_array implementation and results in\na crash.\nExample report:\n[2158499.700025] kernel BUG at ../lib/assoc_array.c:652!\n[2158499.700039] invalid opcode: 0000 [#1] SMP PTI\n[2158499.700065] CPU: 3 PID: 31985 Comm: kworker/3:1 Kdump: loaded Not tainted 5.3.18-150300.59.90-default #1 SLE15-SP3\n[2158499.700096] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\n[2158499.700351] Workqueue: cifsiod cifs_resolve_server [cifs]\n[2158499.700380] RIP: 0010:assoc_array_insert+0x85f/0xa40\n[2158499.700401] Code: ff 74 2b 48 8b 3b 49 8b 45 18 4c 89 e6 48 83 e7 fe e8 95 ec 74 00 3b 45 88 7d db 85 c0 79 d4 0f 0b 0f 0b 0f 0b e8 41 f2 be ff <0f> 0b 0f 0b 81 7d 88 ff ff ff 7f 4c 89 eb 4c 8b ad 58 ff ff ff 0f\n[2158499.700448] RSP: 0018:ffffc0bd6187faf0 EFLAGS: 00010282\n[2158499.700470] RAX: ffff9f1ea7da2fe8 RBX: ffff9f1ea7da2fc1 RCX: 0000000000000005\n[2158499.700492] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000000\n[2158499.700515] RBP: ffffc0bd6187fbb0 R08: ffff9f185faf1100 R09: 0000000000000000\n[2158499.700538] R10: ffff9f1ea7da2cc0 R11: 000000005ed8cec8 R12: ffffc0bd6187fc28\n[2158499.700561] R13: ffff9f15feb8d000 R14: ffff9f1ea7da2fc0 R15: ffff9f168dc0d740\n[2158499.700585] FS:  0000000000000000(0000) GS:ffff9f185fac0000(0000) knlGS:0000000000000000\n[2158499.700610] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[2158499.700630] CR2: 00007fdd94fca238 CR3: 0000000809d8c006 CR4: 00000000003706e0\n[2158499.700702] Call Trace:\n[2158499.700741]  ? key_alloc+0x447/0x4b0\n[2158499.700768]  ? __key_link_begin+0x43/0xa0\n[2158499.700790]  __key_link_begin+0x43/0xa0\n[2158499.700814]  request_key_and_link+0x2c7/0x730\n[2158499.700847]  ? dns_resolver_read+0x20/0x20 [dns_resolver]\n[2158499.700873]  ? key_default_cmp+0x20/0x20\n[2158499.700898]  request_key_tag+0x43/0xa0\n[2158499.700926]  dns_query+0x114/0x2ca [dns_resolver]\n[2158499.701127]  dns_resolve_server_name_to_ip+0x194/0x310 [cifs]\n[2158499.701164]  ? scnprintf+0x49/0x90\n[2158499.701190]  ? __switch_to_asm+0x40/0x70\n[2158499.701211]  ? __switch_to_asm+0x34/0x70\n[2158499.701405]  reconn_set_ipaddr_from_hostname+0x81/0x2a0 [cifs]\n[2158499.701603]  cifs_resolve_server+0x4b/0xd0 [cifs]\n[2158499.701632]  process_one_work+0x1f8/0x3e0\n[2158499.701658]  worker_thread+0x2d/0x3f0\n[2158499.701682]  ? process_one_work+0x3e0/0x3e0\n[2158499.701703]  kthread+0x10d/0x130\n[2158499.701723]  ? kthread_park+0xb0/0xb0\n[2158499.701746]  ret_from_fork+0x1f/0x40\nThe situation occurs as follows:\n* Some kernel facility invokes dns_query() to resolve a hostname, for\nexample, \"abcdef\". The function registers its global DNS resolver\ncache as current->cred.thread_keyring and passes the query to\nrequest_key_net() -> request_key_tag() -> request_key_and_link().\n* Function request_key_and_link() creates a keyring_search_context\nobject. Its match_data.cmp method gets set via a call to\ntype->match_preparse() (resolves to dns_resolver_match_preparse()) to\ndns_resolver_cmp().\n* Function request_key_and_link() continues and invokes\nsearch_process_keyrings_rcu() which returns that a given key was not\nfound. The control is then passed to request_key_and_link() ->\nconstruct_alloc_key().\n* Concurrently to that, a second task similarly makes a DNS query for\n\"abcdef.\" and its result gets inserted into the DNS resolver cache.\n* Back on the first task, function construct_alloc_key() first runs\n__key_link_begin() to determine an assoc_array_edit operation to\ninsert a new key. Index keys in the array are compared exactly as-is,\nusing keyring_compare_object(). The operation \n---truncated---", "A race condition was found in the Linux kernel's keyring subsystem. When concurrent DNS queries resolve the same hostname, a duplicate index key can be created in the keyring's assoc_array. The assoc_array implementation has a BUG_ON() check that detects this invalid state, causing a kernel crash. This is particularly triggered during CIFS server name resolution." ],
  "statement" : "This flaw can occur during normal system operation when multiple concurrent DNS resolutions happen for the same hostname. Systems using CIFS/SMB mounts with hostname-based server specifications are more susceptible. The race window is small but the impact is a kernel crash when triggered.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-06-05T00:00:00Z",
    "advisory" : "RHSA-2024:3618",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.5.1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-12-12T00:00:00Z",
    "advisory" : "RHSA-2023:7749",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.13.1.el9_3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2394",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.13.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-12-12T00:00:00Z",
    "advisory" : "RHSA-2023:7749",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.13.1.el9_3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2394",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.13.1.el9_4"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-54170\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-54170\nhttps://lore.kernel.org/linux-cve-announce/2025123020-CVE-2023-54170-f1c6@gregkh/T" ],
  "name" : "CVE-2023-54170",
  "csaw" : false
}