ghsa-f2cg-q42r-r6f6
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
blk-crypto: make blk_crypto_evict_key() more robust
If blk_crypto_evict_key() sees that the key is still in-use (due to a bug) or that ->keyslot_evict failed, it currently just returns while leaving the key linked into the keyslot management structures.
However, blk_crypto_evict_key() is only called in contexts such as inode eviction where failure is not an option. So actually the caller proceeds with freeing the blk_crypto_key regardless of the return value of blk_crypto_evict_key().
These two assumptions don't match, and the result is that there can be a use-after-free in blk_crypto_reprogram_all_keys() after one of these errors occurs. (Note, these errors shouldn't happen; we're just talking about what happens if they do anyway.)
Fix this by making blk_crypto_evict_key() unlink the key from the keyslot management structures even on failure.
Also improve some comments.
{
"affected": [],
"aliases": [
"CVE-2023-53536"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-04T16:15:48Z",
"severity": null
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-crypto: make blk_crypto_evict_key() more robust\n\nIf blk_crypto_evict_key() sees that the key is still in-use (due to a\nbug) or that -\u003ekeyslot_evict failed, it currently just returns while\nleaving the key linked into the keyslot management structures.\n\nHowever, blk_crypto_evict_key() is only called in contexts such as inode\neviction where failure is not an option. So actually the caller\nproceeds with freeing the blk_crypto_key regardless of the return value\nof blk_crypto_evict_key().\n\nThese two assumptions don\u0027t match, and the result is that there can be a\nuse-after-free in blk_crypto_reprogram_all_keys() after one of these\nerrors occurs. (Note, these errors *shouldn\u0027t* happen; we\u0027re just\ntalking about what happens if they do anyway.)\n\nFix this by making blk_crypto_evict_key() unlink the key from the\nkeyslot management structures even on failure.\n\nAlso improve some comments.",
"id": "GHSA-f2cg-q42r-r6f6",
"modified": "2025-10-04T18:31:14Z",
"published": "2025-10-04T18:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53536"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5bb4005fb667c6e2188fa87950f8d5faf2994410"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5c62852942667c613de0458fc797c5b8c36112b5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5c7cb94452901a93e90c2230632e2c12a681bc92"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/64ef787bb1588475163069c2e62fdd8f6c27b1f6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/701a8220762ff90615dc91d3543f789391b63298"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/809a5be62e92a444a3c3d7b9f438019d0b322f55"
}
],
"schema_version": "1.4.0",
"severity": []
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.