CVE-2023-53587— ring-buffer: Sync IRQ works before buffer destruction
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2023-53587
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
ring-buffer: Sync IRQ works before buffer destruction
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Sync IRQ works before buffer destruction If something was written to the buffer just before destruction, it may be possible (maybe not in a real system, but it did happen in ARCH=um with time-travel) to destroy the ringbuffer before the IRQ work ran, leading this KASAN report (or a crash without KASAN): BUG: KASAN: slab-use-after-free in irq_work_run_list+0x11a/0x13a Read of size 8 at addr 000000006d640a48 by task swapper/0 CPU: 0 PID: 0 Comm: swapper Tainted: G W O 6.3.0-rc1 #7 Stack: 60c4f20f 0c203d48 41b58ab3 60f224fc 600477fa 60f35687 60c4f20f 601273dd 00000008 6101eb00 6101eab0 615be548 Call Trace: [<60047a58>] show_stack+0x25e/0x282 [<60c609e0>] dump_stack_lvl+0x96/0xfd [<60c50d4c>] print_report+0x1a7/0x5a8 [<603078d3>] kasan_report+0xc1/0xe9 [<60308950>] __asan_report_load8_noabort+0x1b/0x1d [<60232844>] irq_work_run_list+0x11a/0x13a [<602328b4>] irq_work_tick+0x24/0x34 [<6017f9dc>] update_process_times+0x162/0x196 [<6019f335>] tick_sched_handle+0x1a4/0x1c3 [<6019fd9e>] tick_sched_timer+0x79/0x10c [<601812b9>] __hrtimer_run_queues.constprop.0+0x425/0x695 [<60182913>] hrtimer_interrupt+0x16c/0x2c4 [<600486a3>] um_timer+0x164/0x183 [...] Allocated by task 411: save_stack_trace+0x99/0xb5 stack_trace_save+0x81/0x9b kasan_save_stack+0x2d/0x54 kasan_set_track+0x34/0x3e kasan_save_alloc_info+0x25/0x28 ____kasan_kmalloc+0x8b/0x97 __kasan_kmalloc+0x10/0x12 __kmalloc+0xb2/0xe8 load_elf_phdrs+0xee/0x182 [...] The buggy address belongs to the object at 000000006d640800 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 584 bytes inside of freed 1024-byte region [000000006d640800, 000000006d640c00) Add the appropriate irq_work_sync() so the work finishes before the buffers are destroyed. Prior to the commit in the Fixes tag below, there was only a single global IRQ work, so this issue didn't exist.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于销毁缓冲区前未同步IRQ工作,可能导致释放后重用。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2023-53587
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2023-53587
请登录查看更多情报信息。
Same Patch Batch · Linux · 2025-10-04 · 144 CVEs total
| CVE-2025-39946 | 9.8 CRITICAL | tls: make sure to abort the stream if headers are bogus |
| CVE-2022-50489 | drm/mipi-dsi: Detach devices when removing the host | |
| CVE-2023-53580 | USB: Gadget: core: Help prevent panic during UVC unconfigure | |
| CVE-2022-50507 | fs/ntfs3: Validate data run offset | |
| CVE-2022-50508 | wifi: mt76: mt76x0: fix oob access in mt76x0_phy_get_target_power | |
| CVE-2022-50506 | drbd: only clone bio if we have a backing device | |
| CVE-2022-50504 | powerpc/rtas: avoid scheduling in rtas_os_term() | |
| CVE-2022-50505 | iommu/amd: Fix pci device refcount leak in ppr_notifier() | |
| CVE-2022-50503 | mtd: lpddr2_nvm: Fix possible null-ptr-deref | |
| CVE-2022-50501 | media: coda: Add check for dcoda_iram_alloc | |
| CVE-2022-50500 | netdevsim: fix memory leak in nsim_drv_probe() when nsim_dev_resources_register() failed | |
| CVE-2022-50499 | media: dvb-core: Fix double free in dvb_register_device() | |
| CVE-2022-50497 | binfmt_misc: fix shift-out-of-bounds in check_special_flags | |
| CVE-2022-50498 | eth: alx: take rtnl_lock on resume | |
| CVE-2022-50496 | dm cache: Fix UAF in destroy() | |
| CVE-2022-50494 | thermal: intel_powerclamp: Use get_cpu() instead of smp_processor_id() to avoid crash | |
| CVE-2022-50493 | scsi: qla2xxx: Fix crash when I/O abort times out | |
| CVE-2022-50492 | drm/msm: fix use-after-free on probe deferral | |
| CVE-2022-50490 | bpf: Propagate error from htab_lock_bucket() to userspace | |
| CVE-2023-53570 | wifi: nl80211: fix integer overflow in nl80211_parse_mbssid_elems() |
Showing top 20 of 144 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
Same vendor: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
V. Comments for CVE-2023-53587
No comments yet