{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2023-53810","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-12-08T23:58:35.276Z","datePublished":"2025-12-09T00:01:08.062Z","dateUpdated":"2026-05-11T19:51:56.911Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:51:56.911Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: release crypto keyslot before reporting I/O complete\n\nOnce all I/O using a blk_crypto_key has completed, filesystems can call\nblk_crypto_evict_key().  However, the block layer currently doesn't call\nblk_crypto_put_keyslot() until the request is being freed, which happens\nafter upper layers have been told (via bio_endio()) the I/O has\ncompleted.  This causes a race condition where blk_crypto_evict_key()\ncan see 'slot_refs != 0' without there being an actual bug.\n\nThis makes __blk_crypto_evict_key() hit the\n'WARN_ON_ONCE(atomic_read(&slot->slot_refs) != 0)' and return without\ndoing anything, eventually causing a use-after-free in\nblk_crypto_reprogram_all_keys().  (This is a very rare bug and has only\nbeen seen when per-file keys are being used with fscrypt.)\n\nThere are two options to fix this: either release the keyslot before\nbio_endio() is called on the request's last bio, or make\n__blk_crypto_evict_key() ignore slot_refs.  Let's go with the first\nsolution, since it preserves the ability to report bugs (via\nWARN_ON_ONCE) where a key is evicted while still in-use."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["block/blk-crypto-internal.h","block/blk-crypto.c","block/blk-merge.c","block/blk-mq.c"],"versions":[{"version":"a892c8d52c02284076fbbacae6692aa5c5807d11","lessThan":"874bdf43b4a7dc5463c31508f62b3e42eb237b08","status":"affected","versionType":"git"},{"version":"a892c8d52c02284076fbbacae6692aa5c5807d11","lessThan":"d206f79d9cd658665b37ce8134c6ec849ac7af0c","status":"affected","versionType":"git"},{"version":"a892c8d52c02284076fbbacae6692aa5c5807d11","lessThan":"7d206ec7a04e8545828191b6ea8b49d3ea61391f","status":"affected","versionType":"git"},{"version":"a892c8d52c02284076fbbacae6692aa5c5807d11","lessThan":"b278570e2c59d538216f8b656e97680188a8fba4","status":"affected","versionType":"git"},{"version":"a892c8d52c02284076fbbacae6692aa5c5807d11","lessThan":"92d5d233b9ff531cf9cc36ab4251779e07adb633","status":"affected","versionType":"git"},{"version":"a892c8d52c02284076fbbacae6692aa5c5807d11","lessThan":"9cd1e566676bbcb8a126acd921e4e194e6339603","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["block/blk-crypto-internal.h","block/blk-crypto.c","block/blk-merge.c","block/blk-mq.c"],"versions":[{"version":"5.8","status":"affected"},{"version":"0","lessThan":"5.8","status":"unaffected","versionType":"semver"},{"version":"5.10.180","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.111","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.28","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.2.15","lessThanOrEqual":"6.2.*","status":"unaffected","versionType":"semver"},{"version":"6.3.2","lessThanOrEqual":"6.3.*","status":"unaffected","versionType":"semver"},{"version":"6.4","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.8","versionEndExcluding":"5.10.180"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.8","versionEndExcluding":"5.15.111"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.8","versionEndExcluding":"6.1.28"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.8","versionEndExcluding":"6.2.15"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.8","versionEndExcluding":"6.3.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.8","versionEndExcluding":"6.4"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/874bdf43b4a7dc5463c31508f62b3e42eb237b08"},{"url":"https://git.kernel.org/stable/c/d206f79d9cd658665b37ce8134c6ec849ac7af0c"},{"url":"https://git.kernel.org/stable/c/7d206ec7a04e8545828191b6ea8b49d3ea61391f"},{"url":"https://git.kernel.org/stable/c/b278570e2c59d538216f8b656e97680188a8fba4"},{"url":"https://git.kernel.org/stable/c/92d5d233b9ff531cf9cc36ab4251779e07adb633"},{"url":"https://git.kernel.org/stable/c/9cd1e566676bbcb8a126acd921e4e194e6339603"}],"title":"blk-mq: release crypto keyslot before reporting I/O complete","x_generator":{"engine":"bippy-1.2.0"}}}}