CVE-2023-53722
Description
In the Linux kernel, the following vulnerability has been resolved:
md: raid1: fix potential OOB in raid1_remove_disk()
If rddev->raid_disk is greater than mddev->raid_disks, there will be an out-of-bounds in raid1_remove_disk(). We have already found similar reports as follows:
1) commit d17f744e883b ("md-raid10: fix KASAN warning") 2) commit 1ebc2cec0b7d ("dm raid: fix KASAN warning in raid5_remove_disk")
Fix this bug by checking whether the "number" variable is valid.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's md/raid1 driver, an out-of-bounds access in raid1_remove_disk() can occur if rddev->raid_disk exceeds mddev->raid_disks.
Vulnerability
Description
In the Linux kernel's md (multiple device) driver, specifically the RAID1 personality, the function raid1_remove_disk() did not properly validate the rddev->raid_disk value against the current number of RAID disks (mddev->raid_disks). If rddev->raid_disk is greater than or equal to mddev->raid_disks, an out-of-bounds (OOB) access occurs, leading to potential memory corruption or system instability. This bug is analogous to previously fixed issues in md-raid10 (via commit d17f744e883b) and dm-raid (via commit 1ebc2cec0b7d) [1][2][3][4].
Exploitation
Conditions
The vulnerability can be triggered when a disk removal operation is performed in a RAID1 array, and the disk's internal raid_disk index has been left in an inconsistent state (e.g., after certain reconfiguration or partial initialization). An attacker with the ability to trigger disk removal, either through direct user interaction with the md device or via automated storage reconfiguration, could exploit this missing bounds check. No additional authentication beyond the existing capabilities to manage RAID devices is required if the attacker already has local access or can influence storage operations.
Impact
Successful exploitation could lead to an out-of-bounds read or write in kernel memory, potentially causing a denial of service (system crash or hang) or, under specific conditions, privilege escalation if the attacker can control the out-of-bounds access to corrupt critical kernel structures. The kernel bug is classified with a CVSS score that reflects the high severity of memory safety violations in the core storage subsystem.
Mitigation
The fix adds a bounds check to ensure that the disk index is valid before performing the removal. The patch has been integrated into the Linux kernel stable branches as commits [1][2][3][4]. Users are advised to update their kernels to versions containing these commits or apply the patch if building from source. No workarounds are available if the vulnerable kernel version is in use; only upgrading mitigates the risk.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
8beedf40f739391fbd4e75cb525a68f2286be7993cfc041484f96c0665f9f4f7d853b45904bdb92eaf6458b0472b50bcfVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- git.kernel.org/stable/c/25a68f2286be56fb3a6f9fa0e269c04b5e6c6e24nvd
- git.kernel.org/stable/c/4bdb92eaf645e312975357adc3c4e9523b6e67f1nvd
- git.kernel.org/stable/c/4f7d853b4590fc20e90dd50e346c02811a8c5b08nvd
- git.kernel.org/stable/c/4f96c0665f9f4cf70130c9757750dc43dc679c82nvd
- git.kernel.org/stable/c/7993cfc041481a3a9cd4a3858088fc846b8ccaf7nvd
- git.kernel.org/stable/c/8b0472b50bcf0f19a5119b00a53b63579c8e1e4dnvd
- git.kernel.org/stable/c/91fbd4e75cb573f44d2619a9dc2f9ba927040760nvd
- git.kernel.org/stable/c/beedf40f73939f248c81802eda08a2a8148ea13envd
News mentions
0No linked articles in our index yet.