VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 22, 2025· Updated Apr 15, 2026

CVE-2023-53709

CVE-2023-53709

Description

In the Linux kernel, the following vulnerability has been resolved:

ring-buffer: Handle race between rb_move_tail and rb_check_pages

It seems a data race between ring_buffer writing and integrity check. That is, RB_FLAG of head_page is been updating, while at same time RB_FLAG was cleared when doing integrity check rb_check_pages():

rb_check_pages() rb_handle_head_page(): -------- -------- rb_head_page_deactivate() rb_head_page_set_normal() rb_head_page_activate()

We do intergrity test of the list to check if the list is corrupted and it is still worth doing it. So, let's refactor rb_check_pages() such that we no longer clear and set flag during the list sanity checking.

[1] and [2] are the test to reproduce and the crash report respectively.

1: `` read_trace.sh while true; do # the "trace" file is closed after read head -1 /sys/kernel/tracing/trace > /dev/null done ``

  sysctl -w kernel.panic_on_warn=1
  # function tracer will writing enough data into ring_buffer
  echo function > /sys/kernel/tracing/current_tracer
  ./read_trace.sh &
  ./read_trace.sh &
  ./read_trace.sh &
  ./read_trace.sh &
  ./read_trace.sh &
  ./read_trace.sh &
  ./read_trace.sh &
  ./read_trace.sh &

2: ------------[ cut here ]------------ WARNING: CPU: 9 PID: 62 at kernel/trace/ring_buffer.c:2653 rb_move_tail+0x450/0x470 Modules linked in: CPU: 9 PID: 62 Comm: ksoftirqd/9 Tainted: G W 6.2.0-rc6+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 RIP: 0010:rb_move_tail+0x450/0x470 Code: ff ff 4c 89 c8 f0 4d 0f b1 02 48 89 c2 48 83 e2 fc 49 39 d0 75 24 83 e0 03 83 f8 02 0f 84 e1 fb ff ff 48 8b 57 10 f0 ff 42 08 <0f> 0b 83 f8 02 0f 84 ce fb ff ff e9 db RSP: 0018:ffffb5564089bd00 EFLAGS: 00000203 RAX: 0000000000000000 RBX: ffff9db385a2bf81 RCX: ffffb5564089bd18 RDX: ffff9db281110100 RSI: 0000000000000fe4 RDI: ffff9db380145400 RBP: ffff9db385a2bf80 R08: ffff9db385a2bfc0 R09: ffff9db385a2bfc2 R10: ffff9db385a6c000 R11: ffff9db385a2bf80 R12: 0000000000000000 R13: 00000000000003e8 R14: ffff9db281110100 R15: ffffffffbb006108 FS: 0000000000000000(0000) GS:ffff9db3bdcc0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005602323024c8 CR3: 0000000022e0c000 CR4: 00000000000006e0 Call Trace:

ring_buffer_lock_reserve+0x136/0x360 ? __do_softirq+0x287/0x2df ? __pfx_rcu_softirq_qs+0x10/0x10 trace_function+0x21/0x110 ? __pfx_rcu_softirq_qs+0x10/0x10 ? __do_softirq+0x287/0x2df function_trace_call+0xf6/0x120 0xffffffffc038f097 ? rcu_softirq_qs+0x5/0x140 rcu_softirq_qs+0x5/0x140 __do_softirq+0x287/0x2df run_ksoftirqd+0x2a/0x30 smpboot_thread_fn+0x188/0x220 ? __pfx_smpboot_thread_fn+0x10/0x10 kthread+0xe7/0x110 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2c/0x50

---[ end trace 0000000000000000 ]---

[ crash report and test reproducer credit goes to Zheng Yejian]

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A race condition in the Linux kernel's ring buffer between rb_move_tail and rb_check_pages can cause a kernel panic (WARN_ON) when the ring buffer integrity check concurrently modifies flags while the buffer is being written.

Vulnerability

Details

CVE-2023-53709 is a data race in the Linux kernel's ring buffer implementation, specifically between the rb_move_tail function (used during buffer writes) and the rb_check_pages integrity check function. The race occurs because rb_check_pages clears and then sets a flag (RB_FLAG) on the head page while another thread concurrently updates that same flag during a normal ring buffer write operation [1].

Exploitation

Scenarios

The vulnerability can be triggered by concurrently reading and writing the kernel trace ring buffer. As shown in the provided reproducer [1], the attack surface involves multiple userspace processes reading the trace file (e.g., /sys/kernel/tracing/trace) while the function tracer is enabled, causing high-frequency buffer writes. No special privileges beyond read access to the trace file are required—a local unprivileged user can exploit this race condition to crash the system.

Impact

A successful exploit results in a kernel warning (WARN_ON) and a subsequent kernel panic if the kernel.panic_on_warn sysctl is enabled. This constitutes a denial-of-service (DoS) condition, crashing the entire system. The crash report shows a kernel panic in rb_move_tail [2], indicating that the race can corrupt the ring buffer's internal state.

Mitigation

Status

The fix, which refactors rb_check_pages to avoid clearing and setting flags during the integrity check, has been merged into the Linux kernel stable tree [1]. Linux distributions that have backported the commit (8843e06f67b14f71c044bf6267b2387784c7e198) are patched. Users should update their kernels to the latest stable release to mitigate this vulnerability.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

5
6e02a43acd06
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
d41db100bc38
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
9674390ac540
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
09b1bf25f7f7
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
8843e06f67b1
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.