CVE-2023-53665 (GCVE-0-2023-53665)

Vulnerability from cvelistv5 – Published: 2025-10-07 15:21 – Updated: 2026-05-11 19:49
VLAI?
Title
md: don't dereference mddev after export_rdev()
Summary
In the Linux kernel, the following vulnerability has been resolved: md: don't dereference mddev after export_rdev() Except for initial reference, mddev->kobject is referenced by rdev->kobject, and if the last rdev is freed, there is no guarantee that mddev is still valid. Hence mddev should not be used anymore after export_rdev(). This problem can be triggered by following test for mdadm at very low rate: New file: mdadm/tests/23rdev-lifetime devname=${dev0##*/} devt=`cat /sys/block/$devname/dev` pid="" runtime=2 clean_up_test() { pill -9 $pid echo clear > /sys/block/md0/md/array_state } trap 'clean_up_test' EXIT add_by_sysfs() { while true; do echo $devt > /sys/block/md0/md/new_dev done } remove_by_sysfs(){ while true; do echo remove > /sys/block/md0/md/dev-${devname}/state done } echo md0 > /sys/module/md_mod/parameters/new_array || die "create md0 failed" add_by_sysfs & pid="$pid $!" remove_by_sysfs & pid="$pid $!" sleep $runtime exit 0 Test cmd: ./test --save-logs --logdir=/tmp/ --keep-going --dev=loop --tests=23rdev-lifetime Test result: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6bcb: 0000 [#4] PREEMPT SMP CPU: 0 PID: 1292 Comm: test Tainted: G D W 6.5.0-rc2-00121-g01e55c376936 #562 RIP: 0010:md_wakeup_thread+0x9e/0x320 [md_mod] Call Trace: <TASK> mddev_unlock+0x1b6/0x310 [md_mod] rdev_attr_store+0xec/0x190 [md_mod] sysfs_kf_write+0x52/0x70 kernfs_fop_write_iter+0x19a/0x2a0 vfs_write+0x3b5/0x770 ksys_write+0x74/0x150 __x64_sys_write+0x22/0x30 do_syscall_64+0x40/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd Fix this problem by don't dereference mddev after export_rdev().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 3ce94ce5d05ae89190a23f6187f64d8f4b2d3782 , < ad430ad0669d2757377373390d68e1454fc7a344 (git)
Affected: 3ce94ce5d05ae89190a23f6187f64d8f4b2d3782 , < 7deac114be5fb25a4e865212ed0feaf5f85f2a28 (git)
Create a notification for this product.
Linux Linux Affected: 6.5
Unaffected: 0 , < 6.5 (semver)
Unaffected: 6.5.5 , ≤ 6.5.* (semver)
Unaffected: 6.6 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/md.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ad430ad0669d2757377373390d68e1454fc7a344",
              "status": "affected",
              "version": "3ce94ce5d05ae89190a23f6187f64d8f4b2d3782",
              "versionType": "git"
            },
            {
              "lessThan": "7deac114be5fb25a4e865212ed0feaf5f85f2a28",
              "status": "affected",
              "version": "3ce94ce5d05ae89190a23f6187f64d8f4b2d3782",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/md.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.5"
            },
            {
              "lessThan": "6.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.5.*",
              "status": "unaffected",
              "version": "6.5.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.6",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.5.5",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: don\u0027t dereference mddev after export_rdev()\n\nExcept for initial reference, mddev-\u003ekobject is referenced by\nrdev-\u003ekobject, and if the last rdev is freed, there is no guarantee that\nmddev is still valid. Hence mddev should not be used anymore after\nexport_rdev().\n\nThis problem can be triggered by following test for mdadm at very\nlow rate:\n\nNew file: mdadm/tests/23rdev-lifetime\n\ndevname=${dev0##*/}\ndevt=`cat /sys/block/$devname/dev`\npid=\"\"\nruntime=2\n\nclean_up_test() {\n        pill -9 $pid\n        echo clear \u003e /sys/block/md0/md/array_state\n}\n\ntrap \u0027clean_up_test\u0027 EXIT\n\nadd_by_sysfs() {\n        while true; do\n                echo $devt \u003e /sys/block/md0/md/new_dev\n        done\n}\n\nremove_by_sysfs(){\n        while true; do\n                echo remove \u003e /sys/block/md0/md/dev-${devname}/state\n        done\n}\n\necho md0 \u003e /sys/module/md_mod/parameters/new_array || die \"create md0 failed\"\n\nadd_by_sysfs \u0026\npid=\"$pid $!\"\n\nremove_by_sysfs \u0026\npid=\"$pid $!\"\n\nsleep $runtime\nexit 0\n\nTest cmd:\n\n./test --save-logs --logdir=/tmp/ --keep-going --dev=loop --tests=23rdev-lifetime\n\nTest result:\n\ngeneral protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6bcb: 0000 [#4] PREEMPT SMP\nCPU: 0 PID: 1292 Comm: test Tainted: G      D W          6.5.0-rc2-00121-g01e55c376936 #562\nRIP: 0010:md_wakeup_thread+0x9e/0x320 [md_mod]\nCall Trace:\n \u003cTASK\u003e\n mddev_unlock+0x1b6/0x310 [md_mod]\n rdev_attr_store+0xec/0x190 [md_mod]\n sysfs_kf_write+0x52/0x70\n kernfs_fop_write_iter+0x19a/0x2a0\n vfs_write+0x3b5/0x770\n ksys_write+0x74/0x150\n __x64_sys_write+0x22/0x30\n do_syscall_64+0x40/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nFix this problem by don\u0027t dereference mddev after export_rdev()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T19:49:33.012Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ad430ad0669d2757377373390d68e1454fc7a344"
        },
        {
          "url": "https://git.kernel.org/stable/c/7deac114be5fb25a4e865212ed0feaf5f85f2a28"
        }
      ],
      "title": "md: don\u0027t dereference mddev after export_rdev()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-53665",
    "datePublished": "2025-10-07T15:21:23.808Z",
    "dateReserved": "2025-10-07T15:16:59.662Z",
    "dateUpdated": "2026-05-11T19:49:33.012Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2023-53665",
      "date": "2026-05-20",
      "epss": "0.0002",
      "percentile": "0.05557"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-53665\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-10-07T16:15:50.280\",\"lastModified\":\"2026-02-26T23:13:15.283\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmd: don\u0027t dereference mddev after export_rdev()\\n\\nExcept for initial reference, mddev-\u003ekobject is referenced by\\nrdev-\u003ekobject, and if the last rdev is freed, there is no guarantee that\\nmddev is still valid. Hence mddev should not be used anymore after\\nexport_rdev().\\n\\nThis problem can be triggered by following test for mdadm at very\\nlow rate:\\n\\nNew file: mdadm/tests/23rdev-lifetime\\n\\ndevname=${dev0##*/}\\ndevt=`cat /sys/block/$devname/dev`\\npid=\\\"\\\"\\nruntime=2\\n\\nclean_up_test() {\\n        pill -9 $pid\\n        echo clear \u003e /sys/block/md0/md/array_state\\n}\\n\\ntrap \u0027clean_up_test\u0027 EXIT\\n\\nadd_by_sysfs() {\\n        while true; do\\n                echo $devt \u003e /sys/block/md0/md/new_dev\\n        done\\n}\\n\\nremove_by_sysfs(){\\n        while true; do\\n                echo remove \u003e /sys/block/md0/md/dev-${devname}/state\\n        done\\n}\\n\\necho md0 \u003e /sys/module/md_mod/parameters/new_array || die \\\"create md0 failed\\\"\\n\\nadd_by_sysfs \u0026\\npid=\\\"$pid $!\\\"\\n\\nremove_by_sysfs \u0026\\npid=\\\"$pid $!\\\"\\n\\nsleep $runtime\\nexit 0\\n\\nTest cmd:\\n\\n./test --save-logs --logdir=/tmp/ --keep-going --dev=loop --tests=23rdev-lifetime\\n\\nTest result:\\n\\ngeneral protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6bcb: 0000 [#4] PREEMPT SMP\\nCPU: 0 PID: 1292 Comm: test Tainted: G      D W          6.5.0-rc2-00121-g01e55c376936 #562\\nRIP: 0010:md_wakeup_thread+0x9e/0x320 [md_mod]\\nCall Trace:\\n \u003cTASK\u003e\\n mddev_unlock+0x1b6/0x310 [md_mod]\\n rdev_attr_store+0xec/0x190 [md_mod]\\n sysfs_kf_write+0x52/0x70\\n kernfs_fop_write_iter+0x19a/0x2a0\\n vfs_write+0x3b5/0x770\\n ksys_write+0x74/0x150\\n __x64_sys_write+0x22/0x30\\n do_syscall_64+0x40/0x90\\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\\n\\nFix this problem by don\u0027t dereference mddev after export_rdev().\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.5\",\"versionEndExcluding\":\"6.5.5\",\"matchCriteriaId\":\"BCCF63E3-1E86-4783-A27F-FC9B49E13F4A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.6:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"84267A4F-DBC2-444F-B41D-69E15E1BEC97\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/7deac114be5fb25a4e865212ed0feaf5f85f2a28\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ad430ad0669d2757377373390d68e1454fc7a344\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.