CVE-2023-52935

HIGH EPSS 8.1%
Published Mar 27, 20251y ago · Modified Jun 17, 20261w ago
7.8 CVSS 3.1
High
Find Similar
Published Mar 27, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: mm/khugepaged: fix ->anon_vma race If an ->anon_vma is attached to the VMA, collapse_and_free_pmd() requires it to be locked. Page table traversal is allowed under any one of the mmap lock, the anon_vma lock (if the VMA is associated with an anon_vma), and the mapping lock (if the VMA is associated with a mapping); and so to be able to remove page tables, we must hold all three of them. retract_page_tables() bails out if an ->anon_vma is attached, but does this check before holding the mmap lock (as the comment above the check explains). If we racily merged an existing ->anon_vma (shared with a child process) from a neighboring VMA, subsequent rmap traversals on pages belonging to the child will be able to see the page tables that we are concurrently removing while assuming that nothing else can access them. Repeat the ->anon_vma check once we hold the mmap lock to ensure that there really is no concurrent page table access. Hitting this bug causes a lockdep warning in collapse_and_free_pmd(), in the line "lockdep_assert_held_write(&vma->anon_vma->root->rwsem)". It can also lead to use-after-free access.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
8.1% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 11

VendorProductVersionRange
debiandebian_linux11.0any
linuxlinux_kernel*≥4.8  –  <5.4.299
linuxlinux_kernel*≥5.5  –  <5.10.243
linuxlinux_kernel*≥5.11  –  <5.15.192
linuxlinux_kernel*≥5.16  –  <6.1.11
linuxlinux_kernel6.2any
linuxlinux_kernel6.2any
linuxlinux_kernel6.2any
linuxlinux_kernel6.2any
linuxlinux_kernel6.2any
linuxlinux_kernel6.2any

References 6

  • git.kernel.org https://git.kernel.org/stable/c/023f47a8250c6bdb4aebe744db4bf7f73414028b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/352fbf61ce776fef18dca6a68680a6cd943dac95
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/abdf3c33918185c3e8ffeb09ed3e334b3d7df47c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/acb08187b5a83cdb9ac4112fae9e18cf983b0128
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/cee956ab1efbd858b4ca61c8b474af5aa24b29a6
    Patch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
    Mailing ListThird Party Advisory

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/023f47a8250c6bdb4aebe744db4bf7f73414028b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/352fbf61ce776fef18dca6a68680a6cd943dac95
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/abdf3c33918185c3e8ffeb09ed3e334b3d7df47c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/acb08187b5a83cdb9ac4112fae9e18cf983b0128
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/cee956ab1efbd858b4ca61c8b474af5aa24b29a6
    Patch