{ "threat_severity" : "Low", "public_date" : "2025-12-30T00:00:00Z", "bugzilla" : { "description" : "kernel: blk-mq: fix tags leak when shrink nr_hw_queues", "id" : "2426105", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2426105" }, "cvss3" : { "cvss3_base_score" : "3.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status" : "verified" }, "cwe" : "CWE-772", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nblk-mq: fix tags leak when shrink nr_hw_queues\nAlthough we don't need to realloc set->tags[] when shrink nr_hw_queues,\nwe need to free them. Or these tags will be leaked.\nHow to reproduce:\n1. mount -t configfs configfs /mnt\n2. modprobe null_blk nr_devices=0 submit_queues=8\n3. mkdir /mnt/nullb/nullb0\n4. echo 1 > /mnt/nullb/nullb0/power\n5. echo 4 > /mnt/nullb/nullb0/submit_queues\n6. rmdir /mnt/nullb/nullb0\nIn step 4, will alloc 9 tags (8 submit queues and 1 poll queue), then\nin step 5, new_nr_hw_queues = 5 (4 submit queues and 1 poll queue).\nAt last in step 6, only these 5 tags are freed, the other 4 tags leaked.", "A memory leak flaw was found in the Linux kernel's block multi-queue (blk-mq) subsystem. When the number of hardware queues is reduced via the submit_queues parameter, the tags associated with the removed queues are not freed, causing a memory leak. This occurs because shrinking nr_hw_queues does not deallocate the tags for queues that are no longer needed." ], "statement" : "Exploitation requires administrative access to configfs and the ability to create and modify null_blk devices. The memory leak manifests only when actively reducing hardware queues on block devices, which is not a typical runtime operation, limiting the practical impact of this flaw.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-11-12T00:00:00Z", "advisory" : "RHSA-2024:9315", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-503.11.1.el9_5" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-11-12T00:00:00Z", "advisory" : "RHSA-2024:9315", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-503.11.1.el9_5" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-54227\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-54227\nhttps://lore.kernel.org/linux-cve-announce/2025123029-CVE-2023-54227-5c6c@gregkh/T" ], "name" : "CVE-2023-54227", "csaw" : false }