{ "threat_severity" : "Low", "public_date" : "2025-12-30T00:00:00Z", "bugzilla" : { "description" : "kernel: PCI/DOE: Fix destroy_work_on_stack() race", "id" : "2426233", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2426233" }, "cvss3" : { "cvss3_base_score" : "3.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status" : "verified" }, "cwe" : "CWE-366", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nPCI/DOE: Fix destroy_work_on_stack() race\nThe following debug object splat was observed in testing:\nODEBUG: free active (active state 0) object: 0000000097d23782 object type: work_struct hint: doe_statemachine_work+0x0/0x510\nWARNING: CPU: 1 PID: 71 at lib/debugobjects.c:514 debug_print_object+0x7d/0xb0\n...\nWorkqueue: pci 0000:36:00.0 DOE [1 doe_statemachine_work\nRIP: 0010:debug_print_object+0x7d/0xb0\n...\nCall Trace:\n? debug_print_object+0x7d/0xb0\n? __pfx_doe_statemachine_work+0x10/0x10\ndebug_object_free.part.0+0x11b/0x150\ndoe_statemachine_work+0x45e/0x510\nprocess_one_work+0x1d4/0x3c0\nThis occurs because destroy_work_on_stack() was called after signaling\nthe completion in the calling thread. This creates a race between\ndestroy_work_on_stack() and the task->work struct going out of scope in\npci_doe().\nSignal the work complete after destroying the work struct. This is safe\nbecause signal_task_complete() is the final thing the work item does and\nthe workqueue code is careful not to access the work struct after.", "A race condition flaw was found in the Linux kernel's PCI Data Object Exchange (DOE) implementation. The destroy_work_on_stack() function is called after signaling completion, creating a race where the work struct can go out of scope before being destroyed. This triggers debug object warnings when CONFIG_DEBUG_OBJECTS is enabled." ], "statement" : "This manifests as a debug object warning rather than a functional failure. The race is only visible when kernel debug options are enabled. Production kernels without CONFIG_DEBUG_OBJECTS will not see any symptoms, though the underlying race still exists.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-54235\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-54235\nhttps://lore.kernel.org/linux-cve-announce/2025123032-CVE-2023-54235-51bc@gregkh/T" ], "name" : "CVE-2023-54235", "csaw" : false }