{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2023-54195","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-12-30T12:06:44.498Z","datePublished":"2025-12-30T12:09:02.123Z","dateUpdated":"2026-05-11T19:57:18.436Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:57:18.436Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix timeout of a call that hasn't yet been granted a channel\n\nafs_make_call() calls rxrpc_kernel_begin_call() to begin a call (which may\nget stalled in the background waiting for a connection to become\navailable); it then calls rxrpc_kernel_set_max_life() to set the timeouts -\nbut that starts the call timer so the call timer might then expire before\nwe get a connection assigned - leading to the following oops if the call\nstalled:\n\n\tBUG: kernel NULL pointer dereference, address: 0000000000000000\n\t...\n\tCPU: 1 PID: 5111 Comm: krxrpcio/0 Not tainted 6.3.0-rc7-build3+ #701\n\tRIP: 0010:rxrpc_alloc_txbuf+0xc0/0x157\n\t...\n\tCall Trace:\n\t <TASK>\n\t rxrpc_send_ACK+0x50/0x13b\n\t rxrpc_input_call_event+0x16a/0x67d\n\t rxrpc_io_thread+0x1b6/0x45f\n\t ? _raw_spin_unlock_irqrestore+0x1f/0x35\n\t ? rxrpc_input_packet+0x519/0x519\n\t kthread+0xe7/0xef\n\t ? kthread_complete_and_exit+0x1b/0x1b\n\t ret_from_fork+0x22/0x30\n\nFix this by noting the timeouts in struct rxrpc_call when the call is\ncreated.  The timer will be started when the first packet is transmitted.\n\nIt shouldn't be possible to trigger this directly from userspace through\nAF_RXRPC as sendmsg() will return EBUSY if the call is in the\nwaiting-for-conn state if it dropped out of the wait due to a signal."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/afs/afs.h","fs/afs/internal.h","fs/afs/rxrpc.c","include/net/af_rxrpc.h","net/rxrpc/af_rxrpc.c","net/rxrpc/ar-internal.h","net/rxrpc/call_object.c","net/rxrpc/sendmsg.c"],"versions":[{"version":"9d35d880e0e4a3ab32d8c12f9e4d76198aadd42d","lessThan":"92128a7170a220b5126d09a1c1954a3a8d46cef3","status":"affected","versionType":"git"},{"version":"9d35d880e0e4a3ab32d8c12f9e4d76198aadd42d","lessThan":"72f4a9f3f447948cf86dffe1c4a4c8a429ab9666","status":"affected","versionType":"git"},{"version":"9d35d880e0e4a3ab32d8c12f9e4d76198aadd42d","lessThan":"db099c625b13a74d462521a46d98a8ce5b53af5d","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/afs/afs.h","fs/afs/internal.h","fs/afs/rxrpc.c","include/net/af_rxrpc.h","net/rxrpc/af_rxrpc.c","net/rxrpc/ar-internal.h","net/rxrpc/call_object.c","net/rxrpc/sendmsg.c"],"versions":[{"version":"6.2","status":"affected"},{"version":"0","lessThan":"6.2","status":"unaffected","versionType":"semver"},{"version":"6.2.16","lessThanOrEqual":"6.2.*","status":"unaffected","versionType":"semver"},{"version":"6.3.3","lessThanOrEqual":"6.3.*","status":"unaffected","versionType":"semver"},{"version":"6.4","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.2.16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.3.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.4"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/92128a7170a220b5126d09a1c1954a3a8d46cef3"},{"url":"https://git.kernel.org/stable/c/72f4a9f3f447948cf86dffe1c4a4c8a429ab9666"},{"url":"https://git.kernel.org/stable/c/db099c625b13a74d462521a46d98a8ce5b53af5d"}],"title":"rxrpc: Fix timeout of a call that hasn't yet been granted a channel","x_generator":{"engine":"bippy-1.2.0"}}}}