CVE-2023-53431

MEDIUM EPSS 3.5%
Published Sep 18, 20259mo ago · Modified Jun 17, 20262w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Sep 18, 2025 9mo ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: scsi: ses: Handle enclosure with just a primary component gracefully This reverts commit 3fe97ff3d949 ("scsi: ses: Don't attach if enclosure has no components") and introduces proper handling of case where there are no detected secondary components, but primary component (enumerated in num_enclosures) does exist. That fix was originally proposed by Ding Hui <dinghui@sangfor.com.cn>. Completely ignoring devices that have one primary enclosure and no secondary one results in ses_intf_add() bailing completely scsi 2:0:0:254: enclosure has no enumerated components scsi 2:0:0:254: Failed to bind enclosure -12ven in valid configurations such even on valid configurations with 1 primary and 0 secondary enclosures as below: # sg_ses /dev/sg0 3PARdata SES 3321 Supported diagnostic pages: Supported Diagnostic Pages [sdp] [0x0] Configuration (SES) [cf] [0x1] Short Enclosure Status (SES) [ses] [0x8] # sg_ses -p cf /dev/sg0 3PARdata SES 3321 Configuration diagnostic page: number of secondary subenclosures: 0 generation code: 0x0 enclosure descriptor list Subenclosure identifier: 0 [primary] relative ES process id: 0, number of ES processes: 1 number of type descriptor headers: 1 enclosure logical identifier (hex): 20000002ac02068d enclosure vendor: 3PARdata product: VV rev: 3321 type descriptor header and text list Element type: Unspecified, subenclosure id: 0 number of possible elements: 1 The changelog for the original fix follows ===== We can get a crash when disconnecting the iSCSI session, the call trace like this: [ffff00002a00fb70] kfree at ffff00000830e224 [ffff00002a00fba0] ses_intf_remove at ffff000001f200e4 [ffff00002a00fbd0] device_del at ffff0000086b6a98 [ffff00002a00fc50] device_unregister at ffff0000086b6d58 [ffff00002a00fc70] __scsi_remove_device at ffff00000870608c [ffff00002a00fca0] scsi_remove_device at ffff000008706134 [ffff00002a00fcc0] __scsi_remove_target at ffff0000087062e4 [ffff00002a00fd10] scsi_remove_target at ffff0000087064c0 [ffff00002a00fd70] __iscsi_unbind_session at ffff000001c872c4 [ffff00002a00fdb0] process_one_work at ffff00000810f35c [ffff00002a00fe00] worker_thread at ffff00000810f648 [ffff00002a00fe70] kthread at ffff000008116e98 In ses_intf_add, components count could be 0, and kcalloc 0 size scomp, but not saved in edev->component[i].scratch In this situation, edev->component[0].scratch is an invalid pointer, when kfree it in ses_intf_remove_enclosure, a crash like above would happen The call trace also could be other random cases when kfree cannot catch the invalid pointer We should not use edev->component[] array when the components count is 0 We also need check index when use edev->component[] array in ses_enclosure_data_process =====

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
3.5% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 12

VendorProductVersionRange
linuxlinux_kernel*≥2.6.25  –  <4.19.281
linuxlinux_kernel*≥4.20  –  <5.4.241
linuxlinux_kernel*≥5.5  –  <5.10.178
linuxlinux_kernel*≥5.11  –  <5.15.108
linuxlinux_kernel*≥5.16  –  <6.1.25
linuxlinux_kernel*≥6.2  –  <6.2.12
linuxlinux_kernel6.3any
linuxlinux_kernel6.3any
linuxlinux_kernel6.3any
linuxlinux_kernel6.3any
linuxlinux_kernel6.3any
linuxlinux_kernel6.3any

References 7

  • git.kernel.org https://git.kernel.org/stable/c/05143d90ac90b7abc6692285895a1ef460e008ee
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/110d425cdfb15006f3c4fde5264e786a247b6b36
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/176d7345b89ced72020a313bfa4e7f345d1c3aed
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4e7c498c3713b09bef20c76c7319555637e8bbd5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c8e22b7a1694bb8d025ea636816472739d859145
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/eabc4872f172ecb8dd8536bc366a51868154a450
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f8e702c54413eee2d8f94f61d18adadac7c87e87
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/05143d90ac90b7abc6692285895a1ef460e008ee
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/110d425cdfb15006f3c4fde5264e786a247b6b36
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/176d7345b89ced72020a313bfa4e7f345d1c3aed
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4e7c498c3713b09bef20c76c7319555637e8bbd5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c8e22b7a1694bb8d025ea636816472739d859145
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/eabc4872f172ecb8dd8536bc366a51868154a450
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f8e702c54413eee2d8f94f61d18adadac7c87e87
    Patch