{
  "threat_severity" : "Low",
  "public_date" : "2025-12-24T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: sched/psi: use kernfs polling functions for PSI trigger polling",
    "id" : "2424987",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2424987"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-772",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nsched/psi: use kernfs polling functions for PSI trigger polling\nDestroying psi trigger in cgroup_file_release causes UAF issues when\na cgroup is removed from under a polling process. This is happening\nbecause cgroup removal causes a call to cgroup_file_release while the\nactual file is still alive. Destroying the trigger at this point would\nalso destroy its waitqueue head and if there is still a polling process\non that file accessing the waitqueue, it will step on the freed pointer:\ndo_select\nvfs_poll\ndo_rmdir\ncgroup_rmdir\nkernfs_drain_open_files\ncgroup_file_release\ncgroup_pressure_release\npsi_trigger_destroy\nwake_up_pollfree(&t->event_wait)\n// vfs_poll is unblocked\nsynchronize_rcu\nkfree(t)\npoll_freewait -> UAF access to the trigger's waitqueue head\nPatch [1] fixed this issue for epoll() case using wake_up_pollfree(),\nhowever the same issue exists for synchronous poll() case.\nThe root cause of this issue is that the lifecycles of the psi trigger's\nwaitqueue and of the file associated with the trigger are different. Fix\nthis by using kernfs_generic_poll function when polling on cgroup-specific\npsi triggers. It internally uses kernfs_open_node->poll waitqueue head\nwith its lifecycle tied to the file's lifecycle. This also renders the\nfix in [1] obsolete, so revert it.\n[1] commit c2dbe32d5db5 (\"sched/psi: Fix use-after-free in ep_remove_wait_queue()\")", "A use-after-free vulnerability was found in the Linux kernel's PSI (Pressure Stall Information) trigger handling for cgroups. When a cgroup is removed while a process is polling its PSI trigger file, the trigger's waitqueue is destroyed via psi_trigger_destroy() while the polling process still holds a reference. The subsequent poll_freewait() accesses the freed waitqueue head, causing a use-after-free crash." ],
  "statement" : "This flaw affects systems using cgroup PSI monitoring with poll() or select() on PSI trigger files. The race occurs when a cgroup is removed (rmdir) while another process is actively polling for PSI events on that cgroup. This is a lifecycle mismatch between the PSI trigger and the associated file descriptor. A previous fix addressed epoll() but left synchronous poll() vulnerable.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-11-12T00:00:00Z",
    "advisory" : "RHSA-2024:9315",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-503.11.1.el9_5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-11-12T00:00:00Z",
    "advisory" : "RHSA-2024:9315",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-503.11.1.el9_5"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-54019\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-54019\nhttps://lore.kernel.org/linux-cve-announce/2025122433-CVE-2023-54019-95e0@gregkh/T" ],
  "name" : "CVE-2023-54019",
  "csaw" : false
}