{
  "threat_severity" : "Low",
  "public_date" : "2025-10-04T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: dax: Fix dax_mapping_release() use after free",
    "id" : "2401518",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2401518"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-1341",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ndax: Fix dax_mapping_release() use after free\nA CONFIG_DEBUG_KOBJECT_RELEASE test of removing a device-dax region\nprovider (like modprobe -r dax_hmem) yields:\nkobject: 'mapping0' (ffff93eb460e8800): kobject_release, parent 0000000000000000 (delayed 2000)\n[..]\nDEBUG_LOCKS_WARN_ON(1)\nWARNING: CPU: 23 PID: 282 at kernel/locking/lockdep.c:232 __lock_acquire+0x9fc/0x2260\n[..]\nRIP: 0010:__lock_acquire+0x9fc/0x2260\n[..]\nCall Trace:\n<TASK>\n[..]\nlock_acquire+0xd4/0x2c0\n? ida_free+0x62/0x130\n_raw_spin_lock_irqsave+0x47/0x70\n? ida_free+0x62/0x130\nida_free+0x62/0x130\ndax_mapping_release+0x1f/0x30\ndevice_release+0x36/0x90\nkobject_delayed_cleanup+0x46/0x150\nDue to attempting ida_free() on an ida object that has already been\nfreed. Devices typically only hold a reference on their parent while\nregistered. If a child needs a parent object to complete its release it\nneeds to hold a reference that it drops from its release callback.\nArrange for a dax_mapping to pin its parent dev_dax instance until\ndax_mapping_release().", "A use-after-free vulnerability was found in the Linux kernel's device-dax subsystem during mapping object cleanup. When removing a dax region provider, the child dax_mapping objects attempt to free their ID allocator after the parent dev_dax object has already been released. This causes ida_free to operate on freed memory, triggering lockdep warnings and potentially causing crashes or memory corruption, leading to denial of service." ],
  "statement" : "The device-dax subsystem manages mappings of persistent memory regions. The parent-child relationship between dev_dax instances and their dax_mapping children follows the typical device model pattern: children hold references to parents while registered. However, dax_mapping objects were violating this pattern. When kobject delayed cleanup triggered dax_mapping_release (potentially seconds after the mapping was logically removed), it called ida_free on an ida structure that was part of the now-freed parent dev_dax object. The freed parent's memory could have been reallocated for other purposes, making the ida_free operate on arbitrary data structures. The issue manifests clearly under CONFIG_DEBUG_KOBJECT_RELEASE testing, which delays kobject cleanup to expose such bugs. Under normal conditions it creates a window where use-after-free could occur. The fix ensures dax_mapping holds an explicit reference on its parent that's only dropped during the final release callback.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-11-12T00:00:00Z",
    "advisory" : "RHSA-2024:9315",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-503.11.1.el9_5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-11-12T00:00:00Z",
    "advisory" : "RHSA-2024:9315",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-503.11.1.el9_5"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53613\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53613\nhttps://lore.kernel.org/linux-cve-announce/2025100434-CVE-2023-53613-bba8@gregkh/T" ],
  "name" : "CVE-2023-53613",
  "csaw" : false
}