CVE-2023-53078 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved: scsi: scsi_dh_alua: Fix memleak for 'qdata' in alua_activate() If alua_rtpg_queue() failed from alua_activate(), then 'qdata' is not freed, which will cause following memleak: unreferenced object 0xffff88810b2c6980 (size 32): comm "kworker/u16:2", pid 635322, jiffies 4355801099 (age 1216426.076s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 40 39 24 c1 ff ff ff ff 00 f8 ea 0a 81 88 ff ff @9$............. backtrace: [<0000000098f3a26d>] alua_activate+0xb0/0x320 [<000000003b529641>] scsi_dh_activate+0xb2/0x140 [<000000007b296db3>] activate_path_work+0xc6/0xe0 [dm_multipath] [<000000007adc9ace>] process_one_work+0x3c5/0x730 [<00000000c457a985>] worker_thread+0x93/0x650 [<00000000cb80e628>] kthread+0x1ba/0x210 [<00000000a1e61077>] ret_from_fork+0x22/0x30 Fix the problem by freeing 'qdata' in error path.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Redhat	Enterprise Linux

No data.

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 8
kernel-0:4.18.0-513.5.1.el8_9	cpe:/o:redhat:enterprise_linux:8	RHSA-2023:7077	2023-11-14T00:00:00Z
Red Hat Enterprise Linux 9
kernel-0:5.14.0-362.8.1.el9_3	cpe:/a:redhat:enterprise_linux:9	RHSA-2023:6583	2023-11-07T00:00:00Z
kernel-0:5.14.0-362.8.1.el9_3	cpe:/o:redhat:enterprise_linux:9	RHSA-2023:6583	2023-11-07T00:00:00Z

References

Link	Providers
https://git.kernel.org/stable/c/0d89254a4320eb7de0970c478172f764125c6355
https://git.kernel.org/stable/c/123483df146492ca22b503ae6dacc2ce7c3a3974
https://git.kernel.org/stable/c/1c55982beb80c7d3c30278fc6cfda8496a31dbe6
https://git.kernel.org/stable/c/5c4d71424df34fc23dc5336d09394ce68c849542
https://git.kernel.org/stable/c/9311e7a554dffd3823499e309a8b86a5cd1540e5
https://git.kernel.org/stable/c/a13faca032acbf2699293587085293bdfaafc8ae
https://git.kernel.org/stable/c/c09cdf6eb815ee35e55d6c50ac7f63db58bd20b8
https://git.kernel.org/stable/c/c110051d335ef7f62ad33474b0c23997fee5bfb5
https://lore.kernel.org/linux-cve-announce/2025050216-CVE-2023-53078-45e1@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2023-53078
https://www.cve.org/CVERecord?id=CVE-2023-53078

History

Thu, 03 Jul 2025 02:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat Redhat enterprise Linux
CPEs		cpe:/a:redhat:enterprise_linux:9 cpe:/o:redhat:enterprise_linux:8 cpe:/o:redhat:enterprise_linux:9
Vendors & Products		Redhat Redhat enterprise Linux

Mon, 05 May 2025 14:00:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2025050216-CVE-2023-53078-45e1@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2023-53078 https://www.cve.org/CVERecord?id=CVE-2023-53078
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Fri, 02 May 2025 16:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: scsi: scsi_dh_alua: Fix memleak for 'qdata' in alua_activate() If alua_rtpg_queue() failed from alua_activate(), then 'qdata' is not freed, which will cause following memleak: unreferenced object 0xffff88810b2c6980 (size 32): comm "kworker/u16:2", pid 635322, jiffies 4355801099 (age 1216426.076s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 40 39 24 c1 ff ff ff ff 00 f8 ea 0a 81 88 ff ff @9$............. backtrace: [<0000000098f3a26d>] alua_activate+0xb0/0x320 [<000000003b529641>] scsi_dh_activate+0xb2/0x140 [<000000007b296db3>] activate_path_work+0xc6/0xe0 [dm_multipath] [<000000007adc9ace>] process_one_work+0x3c5/0x730 [<00000000c457a985>] worker_thread+0x93/0x650 [<00000000cb80e628>] kthread+0x1ba/0x210 [<00000000a1e61077>] ret_from_fork+0x22/0x30 Fix the problem by freeing 'qdata' in error path.
Title		scsi: scsi_dh_alua: Fix memleak for 'qdata' in alua_activate()
References		https://git.kernel.org/stable/c/0d89254a4320eb7de0970c478172f764125c6355 https://git.kernel.org/stable/c/123483df146492ca22b503ae6dacc2ce7c3a3974 https://git.kernel.org/stable/c/1c55982beb80c7d3c30278fc6cfda8496a31dbe6 https://git.kernel.org/stable/c/5c4d71424df34fc23dc5336d09394ce68c849542 https://git.kernel.org/stable/c/9311e7a554dffd3823499e309a8b86a5cd1540e5 https://git.kernel.org/stable/c/a13faca032acbf2699293587085293bdfaafc8ae https://git.kernel.org/stable/c/c09cdf6eb815ee35e55d6c50ac7f63db58bd20b8 https://git.kernel.org/stable/c/c110051d335ef7f62ad33474b0c23997fee5bfb5

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-05-02T15:55:28.246Z

Updated: 2025-05-04T12:50:18.916Z

Reserved: 2025-05-02T15:51:43.549Z

Link: CVE-2023-53078

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2025-05-02T16:15:26.820

Modified: 2025-05-05T20:54:45.973

Link: CVE-2023-53078

Redhat

Severity : Moderate

Publid Date: 2025-05-02T00:00:00Z

Links: CVE-2023-53078 - Bugzilla

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object