CVE-2023-53777

EPSS 0.02%
Veröffentlicht 09.12.2025 00:00:32
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

erofs: kill hooked chains to avoid loops on deduplicated compressed images

In the Linux kernel, the following vulnerability has been resolved:

erofs: kill hooked chains to avoid loops on deduplicated compressed images

After heavily stressing EROFS with several images which include a
hand-crafted image of repeated patterns for more than 46 days, I found
two chains could be linked with each other almost simultaneously and
form a loop so that the entire loop won't be submitted.  As a
consequence, the corresponding file pages will remain locked forever.

It can be _only_ observed on data-deduplicated compressed images.
For example, consider two chains with five pclusters in total:
	Chain 1:  2->3->4->5    -- The tail pcluster is 5;
        Chain 2:  5->1->2       -- The tail pcluster is 2.

Chain 2 could link to Chain 1 with pcluster 5; and Chain 1 could link
to Chain 2 at the same time with pcluster 2.

Since hooked chains are all linked locklessly now, I have no idea how
to simply avoid the race.  Instead, let's avoid hooked chains completely
until I could work out a proper way to fix this and end users finally
tell us that it's needed to add it back.

Actually, this optimization can be found with multi-threaded workloads
(especially even more often on deduplicated compressed images), yet I'm
not sure about the overall system impacts of not having this compared
with implementation complexity.

Betroffene Produkte Warnungen 0 Metriken 1 CWE 0 Referenzen 7

CNA 2 VulnDex Vulnerability Enrichment 5

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerLinux

≫

Produkt Linux

Default Statusunaffected

Version 267f2492c8f71dac44399988b510f9bf6b074a51

Version < d3b39ea24835ac03da1a30f93ae7c05d55a40191

Status affected

Version 267f2492c8f71dac44399988b510f9bf6b074a51

Version < b5b0d52f00e4bacb0ebdf47cd7016b0485fffad2

Status affected

Version 267f2492c8f71dac44399988b510f9bf6b074a51

Version < 10c2b98a40d9044a3e97f4697ca6213bad7e19c2

Status affected

Version 267f2492c8f71dac44399988b510f9bf6b074a51

Version < 967c28b23f6c89bb8eef6a046ea88afe0d7c1029

Status affected

HerstellerLinux

≫

Produkt Linux

Default Statusaffected

Version 6.0

Status affected

Version 0

Version < 6.0

Status unaffected

Version <= 6.1.*

Version 6.1.39

Status unaffected

Version <= 6.3.*

Version 6.3.13

Status unaffected

Version <= 6.4.*

Version 6.4.4

Status unaffected

Version <= *

Version 6.5

Status unaffected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.061

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String

Es wurden noch keine Informationen zu CWE veröffentlicht.

https://git.kernel.org/stable/c/d3b39ea24835ac03da1a30f93ae7c05d55a40191

https://git.kernel.org/stable/c/b5b0d52f00e4bacb0ebdf47cd7016b0485fffad2

https://git.kernel.org/stable/c/10c2b98a40d9044a3e97f4697ca6213bad7e19c2

https://git.kernel.org/stable/c/967c28b23f6c89bb8eef6a046ea88afe0d7c1029

https://nvd.nist.gov/vuln/detail/CVE-2023-53777

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-53777

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-53777

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-53777