CVE-2023-52974 in Linux
Summary
by MITRE • 03/27/2025
In the Linux kernel, the following vulnerability has been resolved:
scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress
If during iscsi_sw_tcp_session_create() iscsi_tcp_r2tpool_alloc() fails, userspace could be accessing the host's ipaddress attr. If we then free the session via iscsi_session_teardown() while userspace is still accessing the session we will hit a use after free bug.
Set the tcp_sw_host->session after we have completed session creation and can no longer fail.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 12/07/2025
The vulnerability CVE-2023-52974 represents a use-after-free condition in the Linux kernel's iSCSI TCP implementation that occurs during the session creation process. This flaw exists within the scsi: iscsi_tcp subsystem where the kernel handles iSCSI over TCP connections. The issue manifests when the iscsi_sw_tcp_session_create() function attempts to allocate resources through iscsi_tcp_r2tpool_alloc() but fails to complete the allocation process successfully. During this failure state, userspace applications may attempt to access the host's IP address attribute associated with the session, creating a race condition that leads to memory corruption.
The technical root cause stems from improper resource management timing within the iSCSI session creation workflow. When iscsi_tcp_r2tpool_alloc() fails during session establishment, the system continues to expose session-related attributes to userspace before the session object is properly initialized. This premature exposure allows userspace processes to reference memory locations that may be freed during subsequent teardown operations. The vulnerability specifically occurs when iscsi_session_teardown() is called while userspace is still accessing the session's IP address attribute, resulting in a use-after-free scenario where freed memory is accessed by the userspace application.
The operational impact of this vulnerability is significant as it can lead to system instability, potential privilege escalation, or denial of service conditions. An attacker with access to userspace applications could exploit this flaw to corrupt kernel memory, potentially leading to arbitrary code execution in kernel space. The vulnerability affects systems running Linux kernels that implement the iSCSI TCP transport layer, particularly those managing storage connections through iSCSI protocols. The race condition makes exploitation challenging but possible under specific timing conditions where userspace applications access session attributes during the failure state.
The mitigation strategy involves modifying the session creation logic to ensure that the tcp_sw_host->session pointer is only set after all allocation operations have completed successfully and no further failures can occur. This approach prevents userspace from accessing incomplete session objects and eliminates the window where memory corruption can occur. The fix implements proper ordering of operations where session initialization and resource allocation must complete entirely before exposing the session to userspace access. This solution aligns with security best practices for memory management and resource handling in kernel space, preventing the conditions that lead to use-after-free vulnerabilities. The fix addresses the underlying CWE-416 vulnerability category related to use-after-free conditions and follows ATT&CK techniques for privilege escalation through kernel memory corruption. This remediation ensures that kernel objects remain valid throughout their intended lifecycle and prevents unauthorized access to freed memory regions during concurrent userspace and kernel space operations.