{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2023-54007","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-12-24T10:53:46.177Z","datePublished":"2025-12-24T10:55:41.281Z","dateUpdated":"2026-05-11T19:53:29.294Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:53:29.294Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nvmci_host: fix a race condition in vmci_host_poll() causing GPF\n\nDuring fuzzing, a general protection fault is observed in\nvmci_host_poll().\n\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000019: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x00000000000000c8-0x00000000000000cf]\nRIP: 0010:__lock_acquire+0xf3/0x5e00 kernel/locking/lockdep.c:4926\n<- omitting registers ->\nCall Trace:\n <TASK>\n lock_acquire+0x1a4/0x4a0 kernel/locking/lockdep.c:5672\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n _raw_spin_lock_irqsave+0xb3/0x100 kernel/locking/spinlock.c:162\n add_wait_queue+0x3d/0x260 kernel/sched/wait.c:22\n poll_wait include/linux/poll.h:49 [inline]\n vmci_host_poll+0xf8/0x2b0 drivers/misc/vmw_vmci/vmci_host.c:174\n vfs_poll include/linux/poll.h:88 [inline]\n do_pollfd fs/select.c:873 [inline]\n do_poll fs/select.c:921 [inline]\n do_sys_poll+0xc7c/0x1aa0 fs/select.c:1015\n __do_sys_ppoll fs/select.c:1121 [inline]\n __se_sys_ppoll+0x2cc/0x330 fs/select.c:1101\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x4e/0xa0 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nExample thread interleaving that causes the general protection fault\nis as follows:\n\nCPU1 (vmci_host_poll)               CPU2 (vmci_host_do_init_context)\n-----                               -----\n// Read uninitialized context\ncontext = vmci_host_dev->context;\n                                    // Initialize context\n                                    vmci_host_dev->context = vmci_ctx_create();\n                                    vmci_host_dev->ct_type = VMCIOBJ_CONTEXT;\n\nif (vmci_host_dev->ct_type == VMCIOBJ_CONTEXT) {\n    // Dereferencing the wrong pointer\n    poll_wait(..., &context->host_context);\n}\n\nIn this scenario, vmci_host_poll() reads vmci_host_dev->context first,\nand then reads vmci_host_dev->ct_type to check that\nvmci_host_dev->context is initialized. However, since these two reads\nare not atomically executed, there is a chance of a race condition as\ndescribed above.\n\nTo fix this race condition, read vmci_host_dev->context after checking\nthe value of vmci_host_dev->ct_type so that vmci_host_poll() always\nreads an initialized context."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/misc/vmw_vmci/vmci_host.c"],"versions":[{"version":"8bf503991f87e32ea42a7bd69b79ba084fddc5d7","lessThan":"2053e93ac15519ed1f1fe6eba79a33a4963be4a3","status":"affected","versionType":"git"},{"version":"8bf503991f87e32ea42a7bd69b79ba084fddc5d7","lessThan":"ca0f4ad2b7a36c799213ef0a213eb977a51e03dc","status":"affected","versionType":"git"},{"version":"8bf503991f87e32ea42a7bd69b79ba084fddc5d7","lessThan":"85b4aa4eb2e3a0da111fd0a1cdbf00f986ac6b6b","status":"affected","versionType":"git"},{"version":"8bf503991f87e32ea42a7bd69b79ba084fddc5d7","lessThan":"770d30b1355c6c8879973dd054fca9168def182c","status":"affected","versionType":"git"},{"version":"8bf503991f87e32ea42a7bd69b79ba084fddc5d7","lessThan":"d22b2a35729cb1de311cb650cd67518a24e13fc9","status":"affected","versionType":"git"},{"version":"8bf503991f87e32ea42a7bd69b79ba084fddc5d7","lessThan":"67e35824f861a05b44b19d38e16a83f653bd9d92","status":"affected","versionType":"git"},{"version":"8bf503991f87e32ea42a7bd69b79ba084fddc5d7","lessThan":"ab64bd32b9fac27ff4737d63711b9db5e5462448","status":"affected","versionType":"git"},{"version":"8bf503991f87e32ea42a7bd69b79ba084fddc5d7","lessThan":"ae13381da5ff0e8e084c0323c3cc0a945e43e9c7","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/misc/vmw_vmci/vmci_host.c"],"versions":[{"version":"3.9","status":"affected"},{"version":"0","lessThan":"3.9","status":"unaffected","versionType":"semver"},{"version":"4.19.283","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.243","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.180","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.111","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.28","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.2.15","lessThanOrEqual":"6.2.*","status":"unaffected","versionType":"semver"},{"version":"6.3.2","lessThanOrEqual":"6.3.*","status":"unaffected","versionType":"semver"},{"version":"6.4","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.9","versionEndExcluding":"4.19.283"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.9","versionEndExcluding":"5.4.243"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.9","versionEndExcluding":"5.10.180"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.9","versionEndExcluding":"5.15.111"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.9","versionEndExcluding":"6.1.28"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.9","versionEndExcluding":"6.2.15"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.9","versionEndExcluding":"6.3.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.9","versionEndExcluding":"6.4"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2053e93ac15519ed1f1fe6eba79a33a4963be4a3"},{"url":"https://git.kernel.org/stable/c/ca0f4ad2b7a36c799213ef0a213eb977a51e03dc"},{"url":"https://git.kernel.org/stable/c/85b4aa4eb2e3a0da111fd0a1cdbf00f986ac6b6b"},{"url":"https://git.kernel.org/stable/c/770d30b1355c6c8879973dd054fca9168def182c"},{"url":"https://git.kernel.org/stable/c/d22b2a35729cb1de311cb650cd67518a24e13fc9"},{"url":"https://git.kernel.org/stable/c/67e35824f861a05b44b19d38e16a83f653bd9d92"},{"url":"https://git.kernel.org/stable/c/ab64bd32b9fac27ff4737d63711b9db5e5462448"},{"url":"https://git.kernel.org/stable/c/ae13381da5ff0e8e084c0323c3cc0a945e43e9c7"}],"title":"vmci_host: fix a race condition in vmci_host_poll() causing GPF","x_generator":{"engine":"bippy-1.2.0"}}}}