VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 22, 2025· Updated Apr 15, 2026

CVE-2023-53694

CVE-2023-53694

Description

In the Linux kernel, the following vulnerability has been resolved:

riscv: ftrace: Fixup panic by disabling preemption

In RISCV, we must use an AUIPC + JALR pair to encode an immediate, forming a jump that jumps to an address over 4K. This may cause errors if we want to enable kernel preemption and remove dependency from patching code with stop_machine(). For example, if a task was switched out on auipc. And, if we changed the ftrace function before it was switched back, then it would jump to an address that has updated 11:0 bits mixing with previous XLEN:12 part.

p: patched area performed by dynamic ftrace ftrace_prologue: p| REG_S ra, -SZREG(sp) p| auipc ra, 0x? ------------> preempted ... change ftrace function ... p| jalr -?(ra) <------------- switched back p| REG_L ra, -SZREG(sp) func: xxx ret

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Linux kernel RISC-V ftrace AUIPC/JALR patching race condition leading to kernel panic when preemption occurs between instruction updates.

Vulnerability

In the Linux kernel, the RISC-V ftrace implementation uses an AUIPC + JALR pair to encode a jump for function tracing, which requires patching two instructions. This patching is not atomic; if kernel preemption is enabled, a task may be switched out after executing the AUIPC instruction but before the JALR instruction is reached. If the ftrace function is patched in the meantime (e.g., via dynamic ftrace updates), the JALR will target an incorrect address because the upper bits of the original address are combined with the lower bits of the new address, leading to an arbitrary jump [1].

Exploitation

The attack surface requires the ability to trigger preemption during a window when ftrace is being patched. This can occur in normal kernel operation if preemption is enabled. An unprivileged user may not directly exploit this unless they can cause a context switch at the precise moment of patching. However, the vulnerability can be triggered by system-level operations that update ftrace hooks, such as enabling/disabling tracepoints or function tracers.

Impact

If exploited, the incorrect jump can cause the kernel to execute arbitrary code or crash, resulting in a denial of service (kernel panic). The vulnerability is classified with a CVSS score that reflects high availability impact but no confidentiality or integrity impact, as the primary outcome is system instability.

Mitigation

The issue was fixed in a stable kernel commit [1]. The fix involves disabling preemption during the patching sequence to ensure atomicity of the AUIPC+JALR update. Users should apply the latest stable kernel updates that include this commit to prevent the race condition.

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

3
84cfcf240f4a
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
20a7510e7810
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
8547649981e6
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.