{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2023-53587","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-10-04T15:40:38.477Z","datePublished":"2025-10-04T15:44:02.679Z","dateUpdated":"2026-05-11T19:47:57.275Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:47:57.275Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Sync IRQ works before buffer destruction\n\nIf something was written to the buffer just before destruction,\nit may be possible (maybe not in a real system, but it did\nhappen in ARCH=um with time-travel) to destroy the ringbuffer\nbefore the IRQ work ran, leading this KASAN report (or a crash\nwithout KASAN):\n\n    BUG: KASAN: slab-use-after-free in irq_work_run_list+0x11a/0x13a\n    Read of size 8 at addr 000000006d640a48 by task swapper/0\n\n    CPU: 0 PID: 0 Comm: swapper Tainted: G        W  O       6.3.0-rc1 #7\n    Stack:\n     60c4f20f 0c203d48 41b58ab3 60f224fc\n     600477fa 60f35687 60c4f20f 601273dd\n     00000008 6101eb00 6101eab0 615be548\n    Call Trace:\n     [<60047a58>] show_stack+0x25e/0x282\n     [<60c609e0>] dump_stack_lvl+0x96/0xfd\n     [<60c50d4c>] print_report+0x1a7/0x5a8\n     [<603078d3>] kasan_report+0xc1/0xe9\n     [<60308950>] __asan_report_load8_noabort+0x1b/0x1d\n     [<60232844>] irq_work_run_list+0x11a/0x13a\n     [<602328b4>] irq_work_tick+0x24/0x34\n     [<6017f9dc>] update_process_times+0x162/0x196\n     [<6019f335>] tick_sched_handle+0x1a4/0x1c3\n     [<6019fd9e>] tick_sched_timer+0x79/0x10c\n     [<601812b9>] __hrtimer_run_queues.constprop.0+0x425/0x695\n     [<60182913>] hrtimer_interrupt+0x16c/0x2c4\n     [<600486a3>] um_timer+0x164/0x183\n     [...]\n\n    Allocated by task 411:\n     save_stack_trace+0x99/0xb5\n     stack_trace_save+0x81/0x9b\n     kasan_save_stack+0x2d/0x54\n     kasan_set_track+0x34/0x3e\n     kasan_save_alloc_info+0x25/0x28\n     ____kasan_kmalloc+0x8b/0x97\n     __kasan_kmalloc+0x10/0x12\n     __kmalloc+0xb2/0xe8\n     load_elf_phdrs+0xee/0x182\n     [...]\n\n    The buggy address belongs to the object at 000000006d640800\n     which belongs to the cache kmalloc-1k of size 1024\n    The buggy address is located 584 bytes inside of\n     freed 1024-byte region [000000006d640800, 000000006d640c00)\n\nAdd the appropriate irq_work_sync() so the work finishes before\nthe buffers are destroyed.\n\nPrior to the commit in the Fixes tag below, there was only a\nsingle global IRQ work, so this issue didn't exist."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/trace/ring_buffer.c"],"versions":[{"version":"15693458c4bc0693fd63a50d60f35b628fcf4e29","lessThan":"372c5ee537b8366b64b691ba29e9335525e1655e","status":"affected","versionType":"git"},{"version":"15693458c4bc0693fd63a50d60f35b628fcf4e29","lessThan":"2702b67f59d455072a08dc40312f9b090d4dec04","status":"affected","versionType":"git"},{"version":"15693458c4bc0693fd63a50d60f35b628fcf4e29","lessThan":"2399b1fda025e939b6fb1ac94505bcf718534e65","status":"affected","versionType":"git"},{"version":"15693458c4bc0693fd63a50d60f35b628fcf4e29","lessThan":"1c99f65d6af2a454bfd5207b4f6a97c8474a1191","status":"affected","versionType":"git"},{"version":"15693458c4bc0693fd63a50d60f35b628fcf4e29","lessThan":"c63741e872fcfb10e153517750f7908f0c00f60d","status":"affected","versionType":"git"},{"version":"15693458c4bc0693fd63a50d60f35b628fcf4e29","lessThan":"d9834abd8b24d1fe8092859e436fe1e0fd467c61","status":"affected","versionType":"git"},{"version":"15693458c4bc0693fd63a50d60f35b628fcf4e29","lessThan":"fc6858b7f8e1221f62ce8c6ff8a13a349c32cd76","status":"affected","versionType":"git"},{"version":"15693458c4bc0693fd63a50d60f35b628fcf4e29","lessThan":"0a65165bd24ee9231191597b7c232376fcd70cdb","status":"affected","versionType":"git"},{"version":"15693458c4bc0693fd63a50d60f35b628fcf4e29","lessThan":"675751bb20634f981498c7d66161584080cc061e","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/trace/ring_buffer.c"],"versions":[{"version":"3.10","status":"affected"},{"version":"0","lessThan":"3.10","status":"unaffected","versionType":"semver"},{"version":"4.14.315","lessThanOrEqual":"4.14.*","status":"unaffected","versionType":"semver"},{"version":"4.19.283","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.243","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.180","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.111","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.28","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.2.15","lessThanOrEqual":"6.2.*","status":"unaffected","versionType":"semver"},{"version":"6.3.2","lessThanOrEqual":"6.3.*","status":"unaffected","versionType":"semver"},{"version":"6.4","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"4.14.315"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"4.19.283"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"5.4.243"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"5.10.180"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"5.15.111"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"6.1.28"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"6.2.15"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"6.3.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"6.4"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/372c5ee537b8366b64b691ba29e9335525e1655e"},{"url":"https://git.kernel.org/stable/c/2702b67f59d455072a08dc40312f9b090d4dec04"},{"url":"https://git.kernel.org/stable/c/2399b1fda025e939b6fb1ac94505bcf718534e65"},{"url":"https://git.kernel.org/stable/c/1c99f65d6af2a454bfd5207b4f6a97c8474a1191"},{"url":"https://git.kernel.org/stable/c/c63741e872fcfb10e153517750f7908f0c00f60d"},{"url":"https://git.kernel.org/stable/c/d9834abd8b24d1fe8092859e436fe1e0fd467c61"},{"url":"https://git.kernel.org/stable/c/fc6858b7f8e1221f62ce8c6ff8a13a349c32cd76"},{"url":"https://git.kernel.org/stable/c/0a65165bd24ee9231191597b7c232376fcd70cdb"},{"url":"https://git.kernel.org/stable/c/675751bb20634f981498c7d66161584080cc061e"}],"title":"ring-buffer: Sync IRQ works before buffer destruction","x_generator":{"engine":"bippy-1.2.0"}}}}