Linux Kernel up to 6.3.12/6.4.3 blk-cgroup blkcg_reset_stats initialization

Summaryinfo

A vulnerability has been found in Linux Kernel up to 6.3.12/6.4.3 and classified as critical. Impacted is the function blkcg_reset_stats of the component blk-cgroup. This manipulation causes initialization. This vulnerability is handled as CVE-2023-53421. There is not any exploit available. The affected component should be upgraded.

Detailsinfo

A vulnerability classified as critical was found in Linux Kernel up to 6.3.12/6.4.3. Affected by this vulnerability is the function blkcg_reset_stats of the component blk-cgroup. The manipulation with an unknown input leads to a initialization vulnerability. The CWE definition for the vulnerability is CWE-665. The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used. The impact remains unknown. The summary by CVE is:

In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: Reinit blkg_iostat_set after clearing in blkcg_reset_stats() When blkg_alloc() is called to allocate a blkcg_gq structure with the associated blkg_iostat_set's, there are 2 fields within blkg_iostat_set that requires proper initialization - blkg & sync. The former field was introduced by commit 3b8cc6298724 ("blk-cgroup: Optimize blkcg_rstat_flush()") while the later one was introduced by commit f73316482977 ("blk-cgroup: reimplement basic IO stats using cgroup rstat"). Unfortunately those fields in the blkg_iostat_set's are not properly re-initialized when they are cleared in v1's blkcg_reset_stats(). This can lead to a kernel panic due to NULL pointer access of the blkg pointer. The missing initialization of sync is less problematic and can be a problem in a debug kernel due to missing lockdep initialization. Fix these problems by re-initializing them after memory clearing.

The advisory is shared at git.kernel.org. This vulnerability is known as CVE-2023-53421 since 09/17/2025. Technical details are known, but no exploit is available.

The vulnerability scanner Nessus provides a plugin with the ID 265506 (Linux Distros Unpatched Vulnerability : CVE-2023-53421), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 6.3.13 or 6.4.4 eliminates this vulnerability. Applying the patch b0d26283af612b9e0cc3188b0b88ad7fdea447e8/abbce7f82613ea5eeefd0fc3c1c8e449b9cef2a2/3d2af77e31ade05ff7ccc3658c3635ec1bea0979 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the databases at Tenable (265506) and CERT Bund (WID-SEC-2025-2092). If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Affected

• Amazon Linux 2
• Red Hat Enterprise Linux
• SUSE Linux
• Oracle Linux
• SUSE openSUSE
• RESF Rocky Linux
• Open Source Linux Kernel
• Dell Secure Connect Gateway
• IBM QRadar SIEM

Productinfo

Type

• Operating System

Vendor

• Linux

Name

• Kernel

Version

• 6.3.0
• 6.3.1
• 6.3.2
• 6.3.3
• 6.3.4
• 6.3.5
• 6.3.6
• 6.3.7
• 6.3.8
• 6.3.9
• 6.3.10
• 6.3.11
• 6.3.12
• 6.4.0
• 6.4.1
• 6.4.2
• 6.4.3

License

• open-source

Website

• Vendor: https://www.kernel.org/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion