CVE-2023-41914
Description
Race conditions in SchedMD Slurm 23.02.x before 23.02.6 and 22.05.x before 22.05.10 allow attackers to gain ownership of or overwrite arbitrary files, or delete directory contents.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Race conditions in SchedMD Slurm 23.02.x before 23.02.6 and 22.05.x before 22.05.10 allow attackers to gain ownership of or overwrite arbitrary files, or delete directory contents.
Vulnerability
A set of filesystem race conditions exist in SchedMD Slurm 23.02.x before 23.02.6 and 22.05.x before 22.05.10 within the slurmd and slurmstepd processes. These race conditions can be exploited to allow a user to take ownership of an arbitrary file, overwrite an arbitrary file (with data not directly under their control), or delete all files and sub-directories of an arbitrary target directory on the compute node [1]. The vulnerabilities were discovered during an audit of Slurm's filesystem handling code [1].
Exploitation
An attacker requires unprivileged access to a Slurm compute node. The race conditions are triggered during normal file operations performed by slurmd and slurmstepd. Exploitation does not require special authentication beyond a standard user account on the system [1]. The specific sequence involves timing attacks against filesystem operations to win races before permissions or ownership checks complete [1].
Impact
Successful exploitation allows an unprivileged attacker to gain ownership of arbitrary files, overwrite arbitrary files (with limited control over the data written), or recursively delete all files and subdirectories of an arbitrary directory on the compute node. This can lead to privilege escalation, data corruption, or denial of service [1].
Mitigation
Fixed versions are 23.02.6 and 22.05.10, released on October 11, 2023 [1]. SchedMD only issues security fixes for the currently supported releases (23.02 and 22.05) and strongly discourages backporting to older, unsupported releases [1]. Sites should upgrade immediately. No workaround other than upgrading has been disclosed. The CVE is not listed on the CISA KEV as of this writing.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
35- osv-coords33 versionspkg:rpm/opensuse/slurm_20_11&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/slurm_20_11&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/slurm_22_05&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/slurm_22_05&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/slurm_23_02&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/slurm&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/slurm_18_08&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2012pkg:rpm/suse/slurm_20_02&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/slurm_20_02&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2012pkg:rpm/suse/slurm_20_11&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/slurm_20_11&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/slurm_20_11&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2012pkg:rpm/suse/slurm_22_05&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/slurm_22_05&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/slurm_22_05&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/slurm_22_05&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/slurm_22_05&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2012pkg:rpm/suse/slurm_22_05&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2015%20SP4pkg:rpm/suse/slurm_23_02&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/slurm_23_02&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/slurm_23_02&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/slurm_23_02&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/slurm_23_02&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2012pkg:rpm/suse/slurm_23_02&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2015%20SP4pkg:rpm/suse/slurm&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/slurm&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/slurm&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/slurm&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/slurm&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/slurm&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/slurm&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2012pkg:rpm/suse/slurm&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2015%20SP5pkg:rpm/suse/slurm&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5
< 20.11.9-150200.6.13.1+ 32 more
- (no CPE)range: < 20.11.9-150200.6.13.1
- (no CPE)range: < 20.11.9-150200.6.13.1
- (no CPE)range: < 22.05.10-150300.7.6.1
- (no CPE)range: < 22.05.10-150300.7.6.1
- (no CPE)range: < 23.02.6-150300.7.14.1
- (no CPE)range: < 23.02.6-150500.5.12.1
- (no CPE)range: < 18.08.9-3.20.1
- (no CPE)range: < 20.02.7-150100.3.27.1
- (no CPE)range: < 20.02.7-3.17.1
- (no CPE)range: < 20.11.9-150100.3.19.1
- (no CPE)range: < 20.11.9-150200.6.13.1
- (no CPE)range: < 20.11.9-3.16.1
- (no CPE)range: < 22.05.10-150100.3.6.1
- (no CPE)range: < 22.05.10-150200.5.6.1
- (no CPE)range: < 22.05.10-150300.7.6.1
- (no CPE)range: < 22.05.10-150300.7.6.1
- (no CPE)range: < 22.05.10-3.6.1
- (no CPE)range: < 22.05.10-150300.7.6.1
- (no CPE)range: < 23.02.6-150100.3.14.1
- (no CPE)range: < 23.02.6-150200.5.14.1
- (no CPE)range: < 23.02.6-150300.7.14.1
- (no CPE)range: < 23.02.6-150300.7.14.1
- (no CPE)range: < 23.02.6-3.13.1
- (no CPE)range: < 23.02.6-150300.7.14.1
- (no CPE)range: < 18.08.9-150100.3.25.1
- (no CPE)range: < 20.02.7-150200.3.17.1
- (no CPE)range: < 20.11.9-150300.4.9.1
- (no CPE)range: < 20.11.9-150300.4.9.1
- (no CPE)range: < 20.11.9-150400.3.3.1
- (no CPE)range: < 20.11.9-150400.3.3.1
- (no CPE)range: < 17.02.11-6.56.1
- (no CPE)range: < 23.02.6-150500.5.12.1
- (no CPE)range: < 23.02.6-150500.5.12.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The slurmd/slurmstepd processes are vulnerable to filesystem race conditions."
Attack vector
An attacker can exploit filesystem race conditions within the slurmd/slurmstepd processes to gain ownership of an arbitrary file, overwrite an arbitrary file with data not under their direct control, or delete all files and sub-directories within a target directory on the compute node [ref_id=1]. These vulnerabilities allow for unauthorized file manipulation on the system.
Affected code
The vulnerability lies within the slurmd/slurmstepd processes, which handle filesystem operations. The advisory does not specify exact file paths or function names, but indicates that the issues are related to Slurm's filesystem handling code [ref_id=1].
What the fix does
The advisory states that versions 23.02.6 and 22.05.10 address a number of filesystem race conditions within the slurmd/slurmstepd processes [ref_id=1]. These fixes aim to prevent attackers from taking control of arbitrary files, overwriting files, or deleting directory contents. SchedMD strongly encourages users to upgrade to these fixed versions immediately.
Preconditions
- authThe attacker must have the ability to execute code on a compute node managed by Slurm.
Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.