CVE-2023-53777

EPSS 0.02%
Veröffentlicht 09.12.2025 00:00:32
Zuletzt bearbeitet 09.12.2025 18:37:13
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

In the Linux kernel, the following vulnerability has been resolved:

erofs: kill hooked chains to avoid loops on deduplicated compressed images

After heavily stressing EROFS with several images which include a
hand-crafted image of repeated patterns for more than 46 days, I found
two chains could be linked with each other almost simultaneously and
form a loop so that the entire loop won't be submitted.  As a
consequence, the corresponding file pages will remain locked forever.

It can be _only_ observed on data-deduplicated compressed images.
For example, consider two chains with five pclusters in total:
	Chain 1:  2->3->4->5    -- The tail pcluster is 5;
        Chain 2:  5->1->2       -- The tail pcluster is 2.

Chain 2 could link to Chain 1 with pcluster 5; and Chain 1 could link
to Chain 2 at the same time with pcluster 2.

Since hooked chains are all linked locklessly now, I have no idea how
to simply avoid the race.  Instead, let's avoid hooked chains completely
until I could work out a proper way to fix this and end users finally
tell us that it's needed to add it back.

Actually, this optimization can be found with multi-threaded workloads
(especially even more often on deduplicated compressed images), yet I'm
not sure about the overall system impacts of not having this compared
with implementation complexity.

Betroffene Produkte Warnungen 0 Metriken 1 CWE 0 Referenzen 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerLinux

≫

Produkt Linux

Default Statusunaffected

Version < d3b39ea24835ac03da1a30f93ae7c05d55a40191

Version 267f2492c8f71dac44399988b510f9bf6b074a51

Status affected

Version < b5b0d52f00e4bacb0ebdf47cd7016b0485fffad2

Version 267f2492c8f71dac44399988b510f9bf6b074a51

Status affected

Version < 10c2b98a40d9044a3e97f4697ca6213bad7e19c2

Version 267f2492c8f71dac44399988b510f9bf6b074a51

Status affected

Version < 967c28b23f6c89bb8eef6a046ea88afe0d7c1029

Version 267f2492c8f71dac44399988b510f9bf6b074a51

Status affected

HerstellerLinux

≫

Produkt Linux

Default Statusaffected

Version 6.0

Status affected

Version < 6.0

Version 0

Status unaffected

Version <= 6.1.*

Version 6.1.39

Status unaffected

Version <= 6.3.*

Version 6.3.13

Status unaffected

Version <= 6.4.*

Version 6.4.4

Status unaffected

Version <= *

Version 6.5

Status unaffected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.036

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String

https://git.kernel.org/stable/c/d3b39ea24835ac03da1a30f93ae7c05d55a40191

https://git.kernel.org/stable/c/b5b0d52f00e4bacb0ebdf47cd7016b0485fffad2

https://git.kernel.org/stable/c/10c2b98a40d9044a3e97f4697ca6213bad7e19c2

https://git.kernel.org/stable/c/967c28b23f6c89bb8eef6a046ea88afe0d7c1029

https://nvd.nist.gov/vuln/detail/CVE-2023-53777

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-53777

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-53777

EUVD