CVE-2023-53832

md/raid10: fix null-ptr-deref in raid10_sync_request

Severity Score

5.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: md/raid10: fix null-ptr-deref in raid10_sync_request init_resync() inits mempool and sets conf->have_replacemnt at the beginning
of sync, close_sync() frees the mempool when sync is completed. After [1] recovery might be skipped and init_resync() is called but
close_sync() is not. null-ptr-deref occurs with r10bio->dev[i].repl_bio. The following is one way to reproduce the issue. 1) create a array, wait for resync to complete, mddev->recovery_cp is set to MaxSector. 2) recovery is woken and it is skipped. conf->have_replacement is set to 0 in init_resync(). close_sync() not called. 3) some io errors and rdev A is set to WantReplacement. 4) a new device is added and set to A's replacement. 5) recovery is woken, A have replacement, but conf->have_replacemnt is 0. r10bio->dev[i].repl_bio will not be alloced and null-ptr-deref occurs. Fix it by not calling init_resync() if recovery skipped. [1] commit 7e83ccbecd60 ("md/raid10: Allow skipping recovery when clean arrays are assembled")

In the Linux kernel, the following vulnerability has been resolved: md/raid10: fix null-ptr-deref in raid10_sync_request init_resync() inits mempool and sets conf->have_replacemnt at the beginning of sync, close_sync() frees the mempool when sync is completed. After [1] recovery might be skipped and init_resync() is called but close_sync() is not. null-ptr-deref occurs with r10bio->dev[i].repl_bio. The following is one way to reproduce the issue. 1) create a array, wait for resync to complete, mddev->recovery_cp is set to MaxSector. 2) recovery is woken and it is skipped. conf->have_replacement is set to 0 in init_resync(). close_sync() not called. 3) some io errors and rdev A is set to WantReplacement. 4) a new device is added and set to A's replacement. 5) recovery is woken, A have replacement, but conf->have_replacemnt is 0. r10bio->dev[i].repl_bio will not be alloced and null-ptr-deref occurs. Fix it by not calling init_resync() if recovery skipped. [1] commit 7e83ccbecd60 ("md/raid10: Allow skipping recovery when clean arrays are assembled")

The SUSE Linux Enterprise 15 SP5 RT kernel was updated to fix various security issues.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2025-12-09 CVE Reserved
2025-12-09 CVE Published
2025-12-09 CVE Updated
2026-04-10 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (9)

URL	Tag	Source
https://git.kernel.org/stable/c/7e83ccbecd608b971f340e951c9e84cd0343002f	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/38d33593260536840b49fd1dcac9aedfd14a9d42	2023-05-17
https://git.kernel.org/stable/c/14964127be77884003976a392c9faa9ebaabbbe1	2023-05-17
https://git.kernel.org/stable/c/bdbf104b1c91fbf38f82c522ebf75429f094292a	2023-05-17
https://git.kernel.org/stable/c/68695084077e3de9d3e94e09238ace2b6f246446	2023-05-11
https://git.kernel.org/stable/c/b50fd1c3d9d0175aa29ff2706ef36cc178bc356a	2023-05-11
https://git.kernel.org/stable/c/99b503e4edc5938885d839cf0e7571963f75d800	2023-05-11
https://git.kernel.org/stable/c/9e9efc77efd1956cc244af975240f2513d78a371	2023-05-11
https://git.kernel.org/stable/c/a405c6f0229526160aa3f177f65e20c86fce84c5	2023-04-14

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.10 < 4.19.283 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.10 < 4.19.283"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.10 < 5.4.243 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.10 < 5.4.243"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.10 < 5.10.180 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.10 < 5.10.180"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.10 < 5.15.111 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.10 < 5.15.111"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.10 < 6.1.28 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.10 < 6.1.28"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.10 < 6.2.15 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.10 < 6.2.15"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.10 < 6.3.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.10 < 6.3.2"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.10 < 6.4 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.10 < 6.4"		en		Affected