CVE-2023-53136 in Linux
Summary
by MITRE • 05/02/2025
In the Linux kernel, the following vulnerability has been resolved:
af_unix: fix struct pid leaks in OOB support
syzbot reported struct pid leak [1].
Issue is that queue_oob() calls maybe_add_creds() which potentially holds a reference on a pid.
But skb->destructor is not set (either directly or by calling unix_scm_to_skb())
This means that subsequent kfree_skb() or consume_skb() would leak this reference.
In this fix, I chose to fully support scm even for the OOB message.
[1]
BUG: memory leak unreferenced object 0xffff8881053e7f80 (size 128): comm "syz-executor242", pid 5066, jiffies 4294946079 (age 13.220s) hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffff812ae26a>] alloc_pid+0x6a/0x560 kernel/pid.c:180
[<ffffffff812718df>] copy_process+0x169f/0x26c0 kernel/fork.c:2285
[<ffffffff81272b37>] kernel_clone+0xf7/0x610 kernel/fork.c:2684
[<ffffffff812730cc>] __do_sys_clone+0x7c/0xb0 kernel/fork.c:2825
[<ffffffff849ad699>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff849ad699>] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
[<ffffffff84a0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/31/2026
The vulnerability CVE-2023-53136 represents a critical memory management flaw within the Linux kernel's Unix domain socket implementation, specifically affecting the af_unix subsystem. This issue stems from improper handling of struct pid references during out-of-band (OOB) message processing, creating a persistent memory leak that can accumulate over time and potentially lead to system instability or resource exhaustion. The vulnerability was identified through automated fuzzing conducted by syzbot, which detected unreferenced objects in kernel memory, indicating a failure in proper reference counting mechanisms.
The technical root cause involves the queue_oob() function which invokes maybe_add_creds() to potentially acquire a reference to a process identifier structure. However, the socket buffer (skb) that contains this reference fails to properly establish a destructor callback either directly or through the unix_scm_to_skb() function. This omission means that when kfree_skb() or consume_skb() is eventually called to free the socket buffer, the reference to the struct pid remains unreleased, creating a memory leak that persists until the system reboots or the reference is manually cleared. The leaked struct pid structure, as shown in the memory dump, represents 128 bytes of kernel memory that cannot be reclaimed by the system's memory management subsystem.
The operational impact of this vulnerability extends beyond simple memory consumption, as it can lead to progressive system degradation and potential denial of service conditions. When multiple OOB messages are processed through the affected code path, each leak compounds the memory pressure, eventually exhausting available kernel memory resources. This vulnerability particularly affects systems heavily utilizing Unix domain sockets for inter-process communication, where OOB message handling is common. The issue demonstrates a fundamental flaw in kernel reference counting practices and highlights the importance of proper resource management in kernel space operations, where memory leaks can have cascading effects on system stability.
Mitigation strategies for CVE-2023-53136 involve applying the kernel patch that ensures proper scm (socket control message) support for OOB messages by implementing the missing destructor callback mechanism. This fix requires that the socket buffer properly establishes reference tracking through either direct assignment or via unix_scm_to_skb() calls to ensure that struct pid references are properly released when the socket buffer is freed. System administrators should prioritize applying the patched kernel version and monitor for potential memory consumption anomalies in systems that heavily utilize Unix domain sockets. The vulnerability aligns with CWE-401: Improper Release of Memory and falls under ATT&CK technique T1490: Inhibit System Recovery, as it can contribute to system instability through resource exhaustion. Organizations should also consider implementing memory monitoring solutions to detect potential memory leaks in kernel space and establish regular kernel update schedules to address similar vulnerabilities that may be discovered in the future.