{ "threat_severity" : "Low", "public_date" : "2025-12-30T00:00:00Z", "bugzilla" : { "description" : "kernel: scsi: target: iscsit: Free cmds before session free", "id" : "2426090", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2426090" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-825", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nscsi: target: iscsit: Free cmds before session free\nCommands from recovery entries are freed after session has been closed.\nThat leads to use-after-free at command free or NPE with such call trace:\nTime2Retain timer expired for SID: 1, cleaning up iSCSI session.\nBUG: kernel NULL pointer dereference, address: 0000000000000140\nRIP: 0010:sbitmap_queue_clear+0x3a/0xa0\nCall Trace:\ntarget_release_cmd_kref+0xd1/0x1f0 [target_core_mod]\ntransport_generic_free_cmd+0xd1/0x180 [target_core_mod]\niscsit_free_cmd+0x53/0xd0 [iscsi_target_mod]\niscsit_free_connection_recovery_entries+0x29d/0x320 [iscsi_target_mod]\niscsit_close_session+0x13a/0x140 [iscsi_target_mod]\niscsit_check_post_dataout+0x440/0x440 [iscsi_target_mod]\ncall_timer_fn+0x24/0x140\nMove cleanup of recovery enrties to before session freeing.", "A use-after-free vulnerability was found in the Linux kernel's iSCSI target subsystem. When the Time2Retain timer expires and an iSCSI session is being cleaned up, commands from recovery entries are freed after the session has already been closed. This leads to a NULL pointer dereference or use-after-free when attempting to release command resources." ], "statement" : "This flaw affects systems running iSCSI target services and can be triggered when session recovery timers expire. An attacker with network access to the iSCSI target could potentially cause a denial of service by manipulating session states, though practical exploitation requires specific timing conditions.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-05-22T00:00:00Z", "advisory" : "RHSA-2024:3138", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-54184\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-54184\nhttps://lore.kernel.org/linux-cve-announce/2025123025-CVE-2023-54184-e958@gregkh/T" ], "name" : "CVE-2023-54184", "csaw" : false }