CVE-2023-53665 in Linux
Summary
by MITRE • 10/07/2025
In the Linux kernel, the following vulnerability has been resolved:
md: don't dereference mddev after export_rdev()
Except for initial reference, mddev->kobject is referenced by rdev->kobject, and if the last rdev is freed, there is no guarantee that mddev is still valid. Hence mddev should not be used anymore after export_rdev().
This problem can be triggered by following test for mdadm at very low rate:
New file: mdadm/tests/23rdev-lifetime
devname=${dev0##*/}
devt=`cat /sys/block/$devname/dev` pid="" runtime=2
clean_up_test() {
pill -9 $pid echo clear > /sys/block/md0/md/array_state }
trap 'clean_up_test' EXIT
add_by_sysfs() {
while true; do echo $devt > /sys/block/md0/md/new_dev done }
remove_by_sysfs(){
while true; do echo remove > /sys/block/md0/md/dev-${devname}/state
done }
echo md0 > /sys/module/md_mod/parameters/new_array || die "create md0 failed"
add_by_sysfs & pid="$pid $!"
remove_by_sysfs & pid="$pid $!"
sleep $runtime exit 0
Test cmd:
./test --save-logs --logdir=/tmp/ --keep-going --dev=loop --tests=23rdev-lifetime
Test result:
general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6bcb: 0000 [#4] PREEMPT SMP
CPU: 0 PID: 1292 Comm: test Tainted: G D W 6.5.0-rc2-00121-g01e55c376936 #562 RIP: 0010:md_wakeup_thread+0x9e/0x320 [md_mod]
Call Trace: <TASK> mddev_unlock+0x1b6/0x310 [md_mod]
rdev_attr_store+0xec/0x190 [md_mod]
sysfs_kf_write+0x52/0x70 kernfs_fop_write_iter+0x19a/0x2a0 vfs_write+0x3b5/0x770 ksys_write+0x74/0x150 __x64_sys_write+0x22/0x30 do_syscall_64+0x40/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd
Fix this problem by don't dereference mddev after export_rdev().
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/01/2026
The vulnerability identified as CVE-2023-53665 resides within the Linux kernel's md (Multiple Device) subsystem, specifically addressing a critical use-after-free condition that can lead to system crashes and potential privilege escalation. This flaw manifests in the mdadm module where improper handling of reference counting creates a scenario where an mddev structure may be accessed after it has been freed, resulting in memory corruption and system instability. The issue stems from the kernel's management of device references within the md subsystem, particularly during the process of exporting device references through the export_rdev() function.
The technical root cause involves the improper management of reference counters between mddev and rdev structures within the md subsystem. When export_rdev() is called, it removes the reference from the rdev to the mddev, but the mddev structure itself may be freed if it's the last reference holder. However, subsequent code paths may still attempt to dereference the mddev structure, leading to access of freed memory. This creates a classic use-after-free vulnerability that can be exploited to trigger general protection faults and system panics. The vulnerability is particularly dangerous because it operates at kernel level where such faults can result in complete system compromise.
The operational impact of this vulnerability is significant as it can be triggered through specific mdadm test scenarios that manipulate device addition and removal operations in rapid succession. The test case provided demonstrates how alternating between adding and removing devices through sysfs interfaces can cause the mddev structure to be freed while still being referenced elsewhere in the code path. The kernel stack trace reveals that the fault occurs in md_wakeup_thread function, indicating that the problem propagates through the md subsystem's thread management and device state handling mechanisms. This vulnerability can be exploited to cause system crashes, data corruption, or potentially provide a foothold for more sophisticated attacks.
The fix implemented addresses the core issue by preventing any dereference of mddev structures after export_rdev() has been called, ensuring that no code paths attempt to access freed memory. This aligns with established security practices for preventing use-after-free vulnerabilities and follows the principle of defensive programming by ensuring proper reference lifecycle management. The solution directly addresses the flaw by making the mddev structure inaccessible after export_rdev() completes, thereby preventing the subsequent memory access that leads to the general protection fault. This remediation follows the CWE-416 vulnerability pattern for use-after-free conditions and aligns with the ATT&CK technique T1068 for local privilege escalation through kernel exploits. The fix ensures proper synchronization between reference counting mechanisms and memory management, preventing the race condition that enabled the vulnerability.
This vulnerability represents a critical security concern for Linux systems utilizing mdadm and the md kernel subsystem, particularly in environments where dynamic device management is common. Systems running kernel versions affected by this vulnerability should be patched immediately to prevent potential exploitation. The test scenario provided demonstrates that this issue can be reliably reproduced under specific conditions, making it a realistic threat to system stability and security. Organizations should monitor their kernel versions and apply the relevant security patches to protect against potential exploitation of this vulnerability through both local and potentially remote attack vectors.