{ "threat_severity" : "Low", "public_date" : "2025-12-30T00:00:00Z", "bugzilla" : { "description" : "kernel: bpf: Disable preemption in bpf_event_output", "id" : "2426128", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2426128" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-821", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nbpf: Disable preemption in bpf_event_output\nWe received report [1] of kernel crash, which is caused by\nusing nesting protection without disabled preemption.\nThe bpf_event_output can be called by programs executed by\nbpf_prog_run_array_cg function that disabled migration but\nkeeps preemption enabled.\nThis can cause task to be preempted by another one inside the\nnesting protection and lead eventually to two tasks using same\nperf_sample_data buffer and cause crashes like:\nBUG: kernel NULL pointer dereference, address: 0000000000000001\n#PF: supervisor instruction fetch in kernel mode\n#PF: error_code(0x0010) - not-present page\n...\n? perf_output_sample+0x12a/0x9a0\n? finish_task_switch.isra.0+0x81/0x280\n? perf_event_output+0x66/0xa0\n? bpf_event_output+0x13a/0x190\n? bpf_event_output_data+0x22/0x40\n? bpf_prog_dfc84bbde731b257_cil_sock4_connect+0x40a/0xacb\n? xa_load+0x87/0xe0\n? __cgroup_bpf_run_filter_sock_addr+0xc1/0x1a0\n? release_sock+0x3e/0x90\n? sk_setsockopt+0x1a1/0x12f0\n? udp_pre_connect+0x36/0x50\n? inet_dgram_connect+0x93/0xa0\n? __sys_connect+0xb4/0xe0\n? udp_setsockopt+0x27/0x40\n? __pfx_udp_push_pending_frames+0x10/0x10\n? __sys_setsockopt+0xdf/0x1a0\n? __x64_sys_connect+0xf/0x20\n? do_syscall_64+0x3a/0x90\n? entry_SYSCALL_64_after_hwframe+0x72/0xdc\nFixing this by disabling preemption in bpf_event_output.\n[1] https://github.com/cilium/cilium/issues/26756", "A race condition was found in the BPF event output mechanism. When preemption is enabled during bpf_event_output(), two tasks can access the same perf_sample_data buffer concurrently, leading to data corruption and kernel crashes." ], "statement" : "Triggering this requires running BPF programs attached to cgroups that use bpf_event_output() under specific preemption timing. This primarily affects systems using Cilium or similar BPF-heavy networking stacks with high load.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-54173\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-54173\nhttps://lore.kernel.org/linux-cve-announce/2025123021-CVE-2023-54173-2f44@gregkh/T" ], "name" : "CVE-2023-54173", "csaw" : false }