{ "threat_severity" : "Low", "public_date" : "2025-12-30T00:00:00Z", "bugzilla" : { "description" : "kernel: vduse: fix NULL pointer dereference", "id" : "2426074", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2426074" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-476", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nvduse: fix NULL pointer dereference\nvduse_vdpa_set_vq_affinity callback can be called\nwith NULL value as cpu_mask when deleting the vduse\ndevice.\nThis patch resets virtqueue's IRQ affinity mask value\nto set all CPUs instead of dereferencing NULL cpu_mask.\n[ 4760.952149] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 4760.959110] #PF: supervisor read access in kernel mode\n[ 4760.964247] #PF: error_code(0x0000) - not-present page\n[ 4760.969385] PGD 0 P4D 0\n[ 4760.971927] Oops: 0000 [#1] PREEMPT SMP PTI\n[ 4760.976112] CPU: 13 PID: 2346 Comm: vdpa Not tainted 6.4.0-rc6+ #4\n[ 4760.982291] Hardware name: Dell Inc. PowerEdge R640/0W23H8, BIOS 2.8.1 06/26/2020\n[ 4760.989769] RIP: 0010:memcpy_orig+0xc5/0x130\n[ 4760.994049] Code: 16 f8 4c 89 07 4c 89 4f 08 4c 89 54 17 f0 4c 89 5c 17 f8 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 83 fa 08 72 1b <4c> 8b 06 4c 8b 4c 16 f8 4c 89 07 4c 89 4c 17 f8 c3 cc cc cc cc 66\n[ 4761.012793] RSP: 0018:ffffb1d565abb830 EFLAGS: 00010246\n[ 4761.018020] RAX: ffff9f4bf6b27898 RBX: ffff9f4be23969c0 RCX: ffff9f4bcadf6400\n[ 4761.025152] RDX: 0000000000000008 RSI: 0000000000000000 RDI: ffff9f4bf6b27898\n[ 4761.032286] RBP: 0000000000000000 R08: 0000000000000008 R09: 0000000000000000\n[ 4761.039416] R10: 0000000000000000 R11: 0000000000000600 R12: 0000000000000000\n[ 4761.046549] R13: 0000000000000000 R14: 0000000000000080 R15: ffffb1d565abbb10\n[ 4761.053680] FS: 00007f64c2ec2740(0000) GS:ffff9f635f980000(0000) knlGS:0000000000000000\n[ 4761.061765] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 4761.067513] CR2: 0000000000000000 CR3: 0000001875270006 CR4: 00000000007706e0\n[ 4761.074645] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 4761.081775] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 4761.088909] PKRU: 55555554\n[ 4761.091620] Call Trace:\n[ 4761.094074] \n[ 4761.096180] ? __die+0x1f/0x70\n[ 4761.099238] ? page_fault_oops+0x171/0x4f0\n[ 4761.103340] ? exc_page_fault+0x7b/0x180\n[ 4761.107265] ? asm_exc_page_fault+0x22/0x30\n[ 4761.111460] ? memcpy_orig+0xc5/0x130\n[ 4761.115126] vduse_vdpa_set_vq_affinity+0x3e/0x50 [vduse]\n[ 4761.120533] virtnet_clean_affinity.part.0+0x3d/0x90 [virtio_net]\n[ 4761.126635] remove_vq_common+0x1a4/0x250 [virtio_net]\n[ 4761.131781] virtnet_remove+0x5d/0x70 [virtio_net]\n[ 4761.136580] virtio_dev_remove+0x3a/0x90\n[ 4761.140509] device_release_driver_internal+0x19b/0x200\n[ 4761.145742] bus_remove_device+0xc2/0x130\n[ 4761.149755] device_del+0x158/0x3e0\n[ 4761.153245] ? kernfs_find_ns+0x35/0xc0\n[ 4761.157086] device_unregister+0x13/0x60\n[ 4761.161010] unregister_virtio_device+0x11/0x20\n[ 4761.165543] device_release_driver_internal+0x19b/0x200\n[ 4761.170770] bus_remove_device+0xc2/0x130\n[ 4761.174782] device_del+0x158/0x3e0\n[ 4761.178276] ? __pfx_vdpa_name_match+0x10/0x10 [vdpa]\n[ 4761.183336] device_unregister+0x13/0x60\n[ 4761.187260] vdpa_nl_cmd_dev_del_set_doit+0x63/0xe0 [vdpa]", "A NULL pointer dereference vulnerability was found in the Linux kernel's VDUSE (vDPA Device in Userspace) subsystem. The vduse_vdpa_set_vq_affinity() callback can be invoked with a NULL cpu_mask value when deleting a vduse device. The code attempts to copy from this NULL pointer, causing a kernel crash during device removal." ], "statement" : "This flaw affects systems using VDUSE for userspace-backed vDPA devices, typically in virtualization environments. The crash occurs during device deletion operations, which generally require administrative privileges. While the bug causes a denial of service, exploitation is limited to users with permissions to manage vDPA devices.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-11-12T00:00:00Z", "advisory" : "RHSA-2024:9315", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-503.11.1.el9_5" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-11-12T00:00:00Z", "advisory" : "RHSA-2024:9315", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-503.11.1.el9_5" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-54291\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-54291\nhttps://lore.kernel.org/linux-cve-announce/2025123029-CVE-2023-54291-2983@gregkh/T" ], "name" : "CVE-2023-54291", "mitigation" : { "value" : "To mitigate this issue, prevent the vduse module from being loaded. See https://access.redhat.com/solutions/41278 for instructions.", "lang" : "en:us" }, "csaw" : false }