{
  "threat_severity" : "Low",
  "public_date" : "2025-09-16T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: Linux kernel: Denial of Service due to improper thread termination in rcuscale module",
    "id" : "2395686",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2395686"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-366",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nrcu/rcuscale: Stop kfree_scale_thread thread(s) after unloading rcuscale\nRunning the 'kfree_rcu_test' test case [1] results in a splat [2].\nThe root cause is the kfree_scale_thread thread(s) continue running\nafter unloading the rcuscale module.  This commit fixes that isue by\ninvoking kfree_scale_cleanup() from rcu_scale_cleanup() when removing\nthe rcuscale module.\n[1] modprobe rcuscale kfree_rcu_test=1\n// After some time\nrmmod rcuscale\nrmmod torture\n[2] BUG: unable to handle page fault for address: ffffffffc0601a87\n#PF: supervisor instruction fetch in kernel mode\n#PF: error_code(0x0010) - not-present page\nPGD 11de4f067 P4D 11de4f067 PUD 11de51067 PMD 112f4d067 PTE 0\nOops: 0010 [#1] PREEMPT SMP NOPTI\nCPU: 1 PID: 1798 Comm: kfree_scale_thr Not tainted 6.3.0-rc1-rcu+ #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015\nRIP: 0010:0xffffffffc0601a87\nCode: Unable to access opcode bytes at 0xffffffffc0601a5d.\nRSP: 0018:ffffb25bc2e57e18 EFLAGS: 00010297\nRAX: 0000000000000000 RBX: ffffffffc061f0b6 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffffffff962fd0de RDI: ffffffff962fd0de\nRBP: ffffb25bc2e57ea8 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000\nR13: 0000000000000000 R14: 000000000000000a R15: 00000000001c1dbe\nFS:  0000000000000000(0000) GS:ffff921fa2200000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffffffc0601a5d CR3: 000000011de4c006 CR4: 0000000000370ee0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n<TASK>\n? kvfree_call_rcu+0xf0/0x3a0\n? kthread+0xf3/0x120\n? kthread_complete_and_exit+0x20/0x20\n? ret_from_fork+0x1f/0x30\n</TASK>\nModules linked in: rfkill sunrpc ... [last unloaded: torture]\nCR2: ffffffffc0601a87\n---[ end trace 0000000000000000 ]---", "A flaw was found in the Linux kernel. A local attacker can exploit this vulnerability by loading and then unloading the `rcuscale` module while a specific test case is active. This improper handling of thread termination can lead to a use-after-free condition, causing a kernel crash and resulting in a Denial of Service (DoS)." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-11-12T00:00:00Z",
    "advisory" : "RHSA-2024:9315",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-503.11.1.el9_5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-11-12T00:00:00Z",
    "advisory" : "RHSA-2024:9315",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-503.11.1.el9_5"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53291\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53291\nhttps://lore.kernel.org/linux-cve-announce/2025091626-CVE-2023-53291-9fe7@gregkh/T" ],
  "name" : "CVE-2023-53291",
  "csaw" : false
}