{"dataType":"CVE_RECORD","cveMetadata":{"cveId":"CVE-2023-52609","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-03-06T09:52:12.088Z","datePublished":"2024-03-18T10:07:45.486Z","dateUpdated":"2026-05-11T19:30:17.511Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:30:17.511Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix race between mmput() and do_exit()\n\nTask A calls binder_update_page_range() to allocate and insert pages on\na remote address space from Task B. For this, Task A pins the remote mm\nvia mmget_not_zero() first. This can race with Task B do_exit() and the\nfinal mmput() refcount decrement will come from Task A.\n\n  Task A            | Task B\n  ------------------+------------------\n  mmget_not_zero()  |\n                    |  do_exit()\n                    |    exit_mm()\n                    |      mmput()\n  mmput()           |\n    exit_mmap()     |\n      remove_vma()  |\n        fput()      |\n\nIn this case, the work of ____fput() from Task B is queued up in Task A\nas TWA_RESUME. So in theory, Task A returns to userspace and the cleanup\nwork gets executed. However, Task A instead sleep, waiting for a reply\nfrom Task B that never comes (it's dead).\n\nThis means the binder_deferred_release() is blocked until an unrelated\nbinder event forces Task A to go back to userspace. All the associated\ndeath notifications will also be delayed until then.\n\nIn order to fix this use mmput_async() that will schedule the work in\nthe corresponding mm->async_put_work WQ instead of Task A."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/android/binder_alloc.c"],"versions":[{"version":"457b9a6f09f011ebcb9b52cc203a6331a6fc2de7","lessThan":"95b1d336b0642198b56836b89908d07b9a0c9608","status":"affected","versionType":"git"},{"version":"457b9a6f09f011ebcb9b52cc203a6331a6fc2de7","lessThan":"252a2a5569eb9f8d16428872cc24dea1ac0bb097","status":"affected","versionType":"git"},{"version":"457b9a6f09f011ebcb9b52cc203a6331a6fc2de7","lessThan":"7e7a0d86542b0ea903006d3f42f33c4f7ead6918","status":"affected","versionType":"git"},{"version":"457b9a6f09f011ebcb9b52cc203a6331a6fc2de7","lessThan":"98fee5bee97ad47b527a997d5786410430d1f0e9","status":"affected","versionType":"git"},{"version":"457b9a6f09f011ebcb9b52cc203a6331a6fc2de7","lessThan":"6696f76c32ff67fec26823fc2df46498e70d9bf3","status":"affected","versionType":"git"},{"version":"457b9a6f09f011ebcb9b52cc203a6331a6fc2de7","lessThan":"67f16bf2cc1698fd50e01ee8a2becc5a8e6d3a3e","status":"affected","versionType":"git"},{"version":"457b9a6f09f011ebcb9b52cc203a6331a6fc2de7","lessThan":"77d210e8db4d61d43b2d16df66b1ec46fad2ee01","status":"affected","versionType":"git"},{"version":"457b9a6f09f011ebcb9b52cc203a6331a6fc2de7","lessThan":"9a9ab0d963621d9d12199df9817e66982582d5a5","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/android/binder_alloc.c"],"versions":[{"version":"2.6.29","status":"affected"},{"version":"0","lessThan":"2.6.29","status":"unaffected","versionType":"semver"},{"version":"4.19.306","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.268","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.209","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.148","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.75","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.14","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.7.2","lessThanOrEqual":"6.7.*","status":"unaffected","versionType":"semver"},{"version":"6.8","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"4.19.306"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"5.4.268"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"5.10.209"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"5.15.148"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"6.1.75"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"6.6.14"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"6.7.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"6.8"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/95b1d336b0642198b56836b89908d07b9a0c9608"},{"url":"https://git.kernel.org/stable/c/252a2a5569eb9f8d16428872cc24dea1ac0bb097"},{"url":"https://git.kernel.org/stable/c/7e7a0d86542b0ea903006d3f42f33c4f7ead6918"},{"url":"https://git.kernel.org/stable/c/98fee5bee97ad47b527a997d5786410430d1f0e9"},{"url":"https://git.kernel.org/stable/c/6696f76c32ff67fec26823fc2df46498e70d9bf3"},{"url":"https://git.kernel.org/stable/c/67f16bf2cc1698fd50e01ee8a2becc5a8e6d3a3e"},{"url":"https://git.kernel.org/stable/c/77d210e8db4d61d43b2d16df66b1ec46fad2ee01"},{"url":"https://git.kernel.org/stable/c/9a9ab0d963621d9d12199df9817e66982582d5a5"}],"title":"binder: fix race between mmput() and do_exit()","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CISA ADP Vulnrichment","metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2023-52609","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-03-18T14:26:58.041951Z"}}}],"providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-06-04T17:24:00.326Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T23:03:21.321Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/95b1d336b0642198b56836b89908d07b9a0c9608","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/252a2a5569eb9f8d16428872cc24dea1ac0bb097","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/7e7a0d86542b0ea903006d3f42f33c4f7ead6918","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/98fee5bee97ad47b527a997d5786410430d1f0e9","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/6696f76c32ff67fec26823fc2df46498e70d9bf3","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/67f16bf2cc1698fd50e01ee8a2becc5a8e6d3a3e","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/77d210e8db4d61d43b2d16df66b1ec46fad2ee01","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/9a9ab0d963621d9d12199df9817e66982582d5a5","tags":["x_transferred"]},{"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html","tags":["x_transferred"]},{"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html","tags":["x_transferred"]}]}]},"dataVersion":"5.2"}