VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 9, 2025· Updated Apr 15, 2026

CVE-2023-53777

CVE-2023-53777

Description

In the Linux kernel, the following vulnerability has been resolved:

erofs: kill hooked chains to avoid loops on deduplicated compressed images

After heavily stressing EROFS with several images which include a hand-crafted image of repeated patterns for more than 46 days, I found two chains could be linked with each other almost simultaneously and form a loop so that the entire loop won't be submitted. As a consequence, the corresponding file pages will remain locked forever.

It can be _only_ observed on data-deduplicated compressed images. For example, consider two chains with five pclusters in total: Chain 1: 2->3->4->5 -- The tail pcluster is 5; Chain 2: 5->1->2 -- The tail pcluster is 2.

Chain 2 could link to Chain 1 with pcluster 5; and Chain 1 could link to Chain 2 at the same time with pcluster 2.

Since hooked chains are all linked locklessly now, I have no idea how to simply avoid the race. Instead, let's avoid hooked chains completely until I could work out a proper way to fix this and end users finally tell us that it's needed to add it back.

Actually, this optimization can be found with multi-threaded workloads (especially even more often on deduplicated compressed images), yet I'm not sure about the overall system impacts of not having this compared with implementation complexity.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A race condition in EROFS' handling of deduplicated compressed images can cause a circular chain, locking file pages forever.

Vulnerability

CVE-2023-53777 is a race condition in the Linux kernel's EROFS filesystem. When processing deduplicated compressed images, EROFS uses 'hooked chains' to link pclusters. Under heavy multi-threaded workloads, two chains can link to each other almost simultaneously, forming a loop. This prevents the loop from being submitted for I/O, leaving the corresponding file pages locked indefinitely.

Exploitation

An attacker must provide a specially crafted data-deduplicated compressed image. The race is more likely to manifest with multi-threaded workloads. No special privileges are required beyond mounting the malicious image; the condition occurs during normal page cache operations.

Impact

Successful exploitation results in a denial of service (DoS): affected processes hang trying to access the locked pages, potentially leading to system unresponsiveness or reboot.

Mitigation

The fix removes the hooked chains optimization entirely until a proper solution is developed. Patches have been committed to the stable kernel trees (see [1] and [2]). Users should update their kernels to incorporate these commits.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Linux/Kernelinferred2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)

Patches

4
d3b39ea24835
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
b5b0d52f00e4
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
10c2b98a40d9
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
967c28b23f6c
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.