{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-53236", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-09-15T14:19:21.847Z", "datePublished": "2025-09-15T14:22:09.250Z", "dateUpdated": "2025-09-15T14:22:09.250Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-09-15T14:22:09.250Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Do not corrupt the pfn list when doing batch carry\n\nIf batch->end is 0 then setting npfns[0] before computing the new value of\npfns will fail to adjust the pfn and result in various page accounting\ncorruptions. It should be ordered after.\n\nThis seems to result in various kinds of page meta-data corruption related\nfailures:\n\n WARNING: CPU: 1 PID: 527 at mm/gup.c:75 try_grab_folio+0x503/0x740\n Modules linked in:\n CPU: 1 PID: 527 Comm: repro Not tainted 6.3.0-rc2-eeac8ede1755+ #1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n RIP: 0010:try_grab_folio+0x503/0x740\n Code: e3 01 48 89 de e8 6d c1 dd ff 48 85 db 0f 84 7c fe ff ff e8 4f bf dd ff 49 8d 47 ff 48 89 45 d0 e9 73 fe ff ff e8 3d bf dd ff <0f> 0b 31 db e9 d0 fc ff ff e8 2f bf dd ff 48 8b 5d c8 31 ff 48 89\n RSP: 0018:ffffc90000f37908 EFLAGS: 00010046\n RAX: 0000000000000000 RBX: 00000000fffffc02 RCX: ffffffff81504c26\n RDX: 0000000000000000 RSI: ffff88800d030000 RDI: 0000000000000002\n RBP: ffffc90000f37948 R08: 000000000003ca24 R09: 0000000000000008\n R10: 000000000003ca00 R11: 0000000000000023 R12: ffffea000035d540\n R13: 0000000000000001 R14: 0000000000000000 R15: ffffea000035d540\n FS: 00007fecbf659740(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00000000200011c3 CR3: 000000000ef66006 CR4: 0000000000770ee0\n PKRU: 55555554\n Call Trace:\n <TASK>\n internal_get_user_pages_fast+0xd32/0x2200\n pin_user_pages_fast+0x65/0x90\n pfn_reader_user_pin+0x376/0x390\n pfn_reader_next+0x14a/0x7b0\n pfn_reader_first+0x140/0x1b0\n iopt_area_fill_domain+0x74/0x210\n iopt_table_add_domain+0x30e/0x6e0\n iommufd_device_selftest_attach+0x7f/0x140\n iommufd_test+0x10ff/0x16f0\n iommufd_fops_ioctl+0x206/0x330\n __x64_sys_ioctl+0x10e/0x160\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/iommu/iommufd/pages.c"], "versions": [{"version": "f394576eb11dbcd3a740fa41e577b97f0720d26e", "lessThan": "6ed5784526ddc0fb58b1798af36ec0c3139a8dca", "status": "affected", "versionType": "git"}, {"version": "f394576eb11dbcd3a740fa41e577b97f0720d26e", "lessThan": "13a0d1ae7ee6b438f5537711a8c60cba00554943", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/iommu/iommufd/pages.c"], "versions": [{"version": "6.2", "status": "affected"}, {"version": "0", "lessThan": "6.2", "status": "unaffected", "versionType": "semver"}, {"version": "6.2.11", "lessThanOrEqual": "6.2.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.2.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/6ed5784526ddc0fb58b1798af36ec0c3139a8dca"}, {"url": "https://git.kernel.org/stable/c/13a0d1ae7ee6b438f5537711a8c60cba00554943"}], "title": "iommufd: Do not corrupt the pfn list when doing batch carry", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Do not corrupt the pfn list when doing batch carry\n\nIf batch->end is 0 then setting npfns[0] before computing the new value of\npfns will fail to adjust the pfn and result in various page accounting\ncorruptions. It should be ordered after.\n\nThis seems to result in various kinds of page meta-data corruption related\nfailures:\n\n WARNING: CPU: 1 PID: 527 at mm/gup.c:75 try_grab_folio+0x503/0x740\n Modules linked in:\n CPU: 1 PID: 527 Comm: repro Not tainted 6.3.0-rc2-eeac8ede1755+ #1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n RIP: 0010:try_grab_folio+0x503/0x740\n Code: e3 01 48 89 de e8 6d c1 dd ff 48 85 db 0f 84 7c fe ff ff e8 4f bf dd ff 49 8d 47 ff 48 89 45 d0 e9 73 fe ff ff e8 3d bf dd ff <0f> 0b 31 db e9 d0 fc ff ff e8 2f bf dd ff 48 8b 5d c8 31 ff 48 89\n RSP: 0018:ffffc90000f37908 EFLAGS: 00010046\n RAX: 0000000000000000 RBX: 00000000fffffc02 RCX: ffffffff81504c26\n RDX: 0000000000000000 RSI: ffff88800d030000 RDI: 0000000000000002\n RBP: ffffc90000f37948 R08: 000000000003ca24 R09: 0000000000000008\n R10: 000000000003ca00 R11: 0000000000000023 R12: ffffea000035d540\n R13: 0000000000000001 R14: 0000000000000000 R15: ffffea000035d540\n FS: 00007fecbf659740(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00000000200011c3 CR3: 000000000ef66006 CR4: 0000000000770ee0\n PKRU: 55555554\n Call Trace:\n <TASK>\n internal_get_user_pages_fast+0xd32/0x2200\n pin_user_pages_fast+0x65/0x90\n pfn_reader_user_pin+0x376/0x390\n pfn_reader_next+0x14a/0x7b0\n pfn_reader_first+0x140/0x1b0\n iopt_area_fill_domain+0x74/0x210\n iopt_table_add_domain+0x30e/0x6e0\n iommufd_device_selftest_attach+0x7f/0x140\n iommufd_test+0x10ff/0x16f0\n iommufd_fops_ioctl+0x206/0x330\n __x64_sys_ioctl+0x10e/0x160\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc"}], "id": "CVE-2023-53236", "lastModified": "2025-09-15T15:22:27.090", "metrics": {}, "published": "2025-09-15T15:15:50.660", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/13a0d1ae7ee6b438f5537711a8c60cba00554943"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6ed5784526ddc0fb58b1798af36ec0c3139a8dca"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: iommufd: Do not corrupt the pfn list when doing batch carry", "id": "2395398", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2395398"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2023-53236", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-09-15T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-53236\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53236\nhttps://lore.kernel.org/linux-cve-announce/2025091515-CVE-2023-53236-49ad@gregkh/T"], "threat_severity": "Moderate"}