CVE-2023-53172 in Linux
Summary
by MITRE • 09/15/2025
In the Linux kernel, the following vulnerability has been resolved:
fsverity: reject FS_IOC_ENABLE_VERITY on mode 3 fds
Commit 56124d6c87fd ("fsverity: support enabling with tree block size < PAGE_SIZE") changed FS_IOC_ENABLE_VERITY to use __kernel_read() to read the file's data, instead of direct pagecache accesses.
An unintended consequence of this is that the 'WARN_ON_ONCE(!(file->f_mode & FMODE_READ))' in __kernel_read() became reachable by fuzz tests. This happens if FS_IOC_ENABLE_VERITY is called on a fd opened with access mode 3, which means "ioctl access only".
Arguably, FS_IOC_ENABLE_VERITY should work on ioctl-only fds. But ioctl-only fds are a weird Linux extension that is rarely used and that few people even know about. (The documentation for FS_IOC_ENABLE_VERITY even specifically says it requires O_RDONLY.) It's probably not worthwhile to make the ioctl internally open a new fd just to handle this case. Thus, just reject the ioctl on such fds for now.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/10/2026
The vulnerability CVE-2023-53172 represents a critical flaw in the Linux kernel's filesystem verification implementation that affects the fsverity subsystem. This vulnerability specifically targets the FS_IOC_ENABLE_VERITY ioctl operation, which is designed to enable filesystem verification for files to ensure their integrity and prevent tampering. The issue emerged from a kernel commit that modified how fsverity reads file data during the verification process, transitioning from direct pagecache access to using the __kernel_read() function. This change inadvertently exposed a previously hidden condition where the kernel's warning mechanism would trigger when attempting to enable verification on file descriptors opened with mode 3 access, which corresponds to ioctl-only access without read permissions.
The technical root cause stems from the interaction between the modified fsverity implementation and the kernel's internal __kernel_read() function, which includes a defensive check that triggers a warning when the file descriptor lacks read mode permissions. The warning is specifically triggered by the line WARN_ON_ONCE(!(file->f_mode & FMODE_READ)) which validates that the file descriptor has read access before proceeding with kernel read operations. When FS_IOC_ENABLE_VERITY is invoked on a file descriptor opened with access mode 3, this validation fails and causes the warning to be logged, potentially indicating a more serious underlying issue. This behavior violates the expected operational semantics of filesystem verification and creates an inconsistent state where the ioctl operation fails in a manner that could be exploited or at least abused for denial of service attacks.
The operational impact of this vulnerability extends beyond simple error conditions to potentially compromise system stability and security. While the immediate effect is a warning message generation, the broader implications include potential denial of service scenarios where legitimate verification operations fail due to improper file descriptor handling. The vulnerability is particularly concerning because it affects the core filesystem integrity mechanisms that are fundamental to system security, especially in environments where fsverity is actively used for protecting critical system files or user data. The issue also highlights the complexity of maintaining backward compatibility while implementing security improvements, as the kernel developers had to balance between supporting edge cases and maintaining system stability.
Security implications of CVE-2023-53172 align with CWE-707 design flaws and potentially CWE-476 null pointer dereference patterns, as the vulnerability exposes a condition where kernel code paths that should be robust fail under specific edge case conditions. The ATT&CK framework would categorize this under T1547.001 account manipulation and T1499.004 endpoint denial of service, as the vulnerability could be exploited to disrupt filesystem verification operations. The fix implemented by the kernel team addresses this by explicitly rejecting FS_IOC_ENABLE_VERITY operations on ioctl-only file descriptors, which aligns with the principle of least privilege and prevents potentially dangerous operations on file descriptors that lack appropriate permissions. This approach follows the security principle of fail-safe defaults, where the system rejects potentially problematic operations rather than attempting to handle them in an unsafe manner, thus preventing both immediate exploitation and potential escalation of privileges through denial of service attacks that could disrupt critical filesystem operations.