VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 22, 2025· Updated Apr 15, 2026

CVE-2023-53711

CVE-2023-53711

Description

In the Linux kernel, the following vulnerability has been resolved:

NFS: Fix a potential data corruption

We must ensure that the subrequests are joined back into the head before we can retransmit a request. If the head was not on the commit lists, because the server wrote it synchronously, we still need to add it back to the retransmission list. Add a call that mirrors the effect of nfs_cancel_remove_inode() for O_DIRECT.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A race condition in the Linux kernel's NFS subsystem can cause data corruption when O_DIRECT writes are retransmitted.

Vulnerability

Description

A data corruption vulnerability exists in the Linux kernel's NFS subsystem. The root cause is a missing synchronization step during the retransmission of direct I/O (O_DIRECT) write requests. When the server acknowledges a synchronous write, the client's head request must be rejoined with its subrequests and re-added to the retransmission list. The code lacked the equivalent of nfs_cancel_remove_inode() for O_DIRECT, leaving the head request detached from the commit lists and causing potential data corruption upon retransmission.

Attack

Vector and Exploitation

Exploitation occurs when an NFS client sends O_DIRECT writes and a network issue forces a retransmission. An attacker with the ability to trigger or coincide with such a fault – for example, by causing network partitions or packet loss – can take advantage of the missing call to corrupt file data. No special privileges beyond network access to the NFS traffic are required; the corruption manifests during normal write retry operations.

Impact

If successfully triggered, the vulnerability causes silent data corruption in files written via O_DIRECT over NFS. The corrupted data would be persisted to the server and could affect any subsequently read file contents, potentially compromising application integrity or causing data loss.

Mitigation

The fix is included in upstream Linux kernel commits [1] and [2]. Users should apply the latest stable kernel updates from their distribution. No workaround other than patching is known; systems using NFS with O_DIRECT are at risk.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

5
4185605cd0f7
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
da302f1d476a
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
dac14a1dbe20
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
0ec26716e45d
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
88975a55969e
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Root cause

"Missing re-joining of subrequests to the head request before retransmission in NFS O_DIRECT write path can lead to data corruption."

Attack vector

An attacker controlling a network path between an NFS client and server could trigger retransmission of an O_DIRECT write request. If the server had already written the head request synchronously (so it was not on the commit lists), the subrequests would not be properly rejoined to the head before retransmission. This can cause data corruption because the retransmitted request may operate on inconsistent or incomplete data. The vulnerability is triggered through network-level manipulation that forces NFS request retransmission.

Affected code

The vulnerability affects the NFS O_DIRECT write path in the Linux kernel. The patch files (patch_ids 3480-3484) modify the retransmission logic to ensure subrequests are joined back into the head request before retransmission. The specific code paths involve nfs_cancel_remove_inode() and the O_DIRECT write completion handling.

What the fix does

The patch adds a call that mirrors the effect of nfs_cancel_remove_inode() for O_DIRECT, ensuring subrequests are joined back into the head request before retransmission. This closes the gap where a synchronously-written head request (not on commit lists) would be retransmitted without its subrequests properly attached. By ensuring the head is added back to the retransmission list with all subrequests joined, the fix prevents data corruption during retransmission.

Preconditions

  • networkAttacker must be able to manipulate network traffic between NFS client and server to trigger request retransmission.
  • inputThe NFS client must be performing O_DIRECT writes to the NFS server.

Generated on May 18, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.