{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2023-53826","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-12-09T01:27:17.824Z","datePublished":"2025-12-09T01:29:39.679Z","dateUpdated":"2026-05-11T19:52:16.903Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:52:16.903Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nubi: Fix UAF wear-leveling entry in eraseblk_count_seq_show()\n\nWear-leveling entry could be freed in error path, which may be accessed\nagain in eraseblk_count_seq_show(), for example:\n\n__erase_worker                eraseblk_count_seq_show\n                                wl = ubi->lookuptbl[*block_number]\n\t\t\t\tif (wl)\n  wl_entry_destroy\n    ubi->lookuptbl[e->pnum] = NULL\n    kmem_cache_free(ubi_wl_entry_slab, e)\n\t\t                   erase_count = wl->ec  // UAF!\n\nWear-leveling entry updating/accessing in ubi->lookuptbl should be\nprotected by ubi->wl_lock, fix it by adding ubi->wl_lock to serialize\nwl entry accessing between wl_entry_destroy() and\neraseblk_count_seq_show().\n\nFetch a reproducer in [Link]."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/mtd/ubi/wl.c"],"versions":[{"version":"801c135ce73d5df1caf3eca35b66a10824ae0707","lessThan":"3f9b63dfce44a7c3c095dd93d910408e07ab1845","status":"affected","versionType":"git"},{"version":"801c135ce73d5df1caf3eca35b66a10824ae0707","lessThan":"84250da1c63cb7d421a3b4812b5c2ce2e47d31a1","status":"affected","versionType":"git"},{"version":"801c135ce73d5df1caf3eca35b66a10824ae0707","lessThan":"1cb14c06d6035539ef4215c4ba0871aea71d7c38","status":"affected","versionType":"git"},{"version":"801c135ce73d5df1caf3eca35b66a10824ae0707","lessThan":"9d448dd6bcb61a508204b57ea1f454ba9bac2f24","status":"affected","versionType":"git"},{"version":"801c135ce73d5df1caf3eca35b66a10824ae0707","lessThan":"79548ccdd992707879b4b683b7251c58ddf26f12","status":"affected","versionType":"git"},{"version":"801c135ce73d5df1caf3eca35b66a10824ae0707","lessThan":"84253f3c2dad6be10d30c92626c763d9a9f512ad","status":"affected","versionType":"git"},{"version":"801c135ce73d5df1caf3eca35b66a10824ae0707","lessThan":"a100de2974d208cfca032179b02ed4d1a0a7f143","status":"affected","versionType":"git"},{"version":"801c135ce73d5df1caf3eca35b66a10824ae0707","lessThan":"a240bc5c43130c6aa50831d7caaa02a1d84e1bce","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/mtd/ubi/wl.c"],"versions":[{"version":"2.6.22","status":"affected"},{"version":"0","lessThan":"2.6.22","status":"unaffected","versionType":"semver"},{"version":"4.14.308","lessThanOrEqual":"4.14.*","status":"unaffected","versionType":"semver"},{"version":"4.19.276","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.235","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.173","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.100","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.18","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.2.5","lessThanOrEqual":"6.2.*","status":"unaffected","versionType":"semver"},{"version":"6.3","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.22","versionEndExcluding":"4.14.308"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.22","versionEndExcluding":"4.19.276"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.22","versionEndExcluding":"5.4.235"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.22","versionEndExcluding":"5.10.173"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.22","versionEndExcluding":"5.15.100"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.22","versionEndExcluding":"6.1.18"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.22","versionEndExcluding":"6.2.5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.22","versionEndExcluding":"6.3"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/3f9b63dfce44a7c3c095dd93d910408e07ab1845"},{"url":"https://git.kernel.org/stable/c/84250da1c63cb7d421a3b4812b5c2ce2e47d31a1"},{"url":"https://git.kernel.org/stable/c/1cb14c06d6035539ef4215c4ba0871aea71d7c38"},{"url":"https://git.kernel.org/stable/c/9d448dd6bcb61a508204b57ea1f454ba9bac2f24"},{"url":"https://git.kernel.org/stable/c/79548ccdd992707879b4b683b7251c58ddf26f12"},{"url":"https://git.kernel.org/stable/c/84253f3c2dad6be10d30c92626c763d9a9f512ad"},{"url":"https://git.kernel.org/stable/c/a100de2974d208cfca032179b02ed4d1a0a7f143"},{"url":"https://git.kernel.org/stable/c/a240bc5c43130c6aa50831d7caaa02a1d84e1bce"}],"title":"ubi: Fix UAF wear-leveling entry in eraseblk_count_seq_show()","x_generator":{"engine":"bippy-1.2.0"}}}}