CVE-2023-54087
Description
In the Linux kernel, the following vulnerability has been resolved:
ubi: Fix possible null-ptr-deref in ubi_free_volume()
It willl cause null-ptr-deref in the following case:
uif_init() ubi_add_volume() cdev_add() -> if it fails, call kill_volumes() device_register()
kill_volumes() -> if ubi_add_volume() fails call this function ubi_free_volume() cdev_del() device_unregister() -> trying to delete a not added device, it causes null-ptr-deref
So in ubi_free_volume(), it delete devices whether they are added or not, it will causes null-ptr-deref.
Handle the error case whlie calling ubi_add_volume() to fix this problem. If add volume fails, set the corresponding vol to null, so it can not be accessed in kill_volumes() and release the resource in ubi_add_volume() error path.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A null-pointer dereference in Linux kernel UBI subsystem occurs when ubi_free_volume() can be triggered by a failed ubi_add_volume() call.
Root
Cause
In the Linux kernel's UBI (Unsorted Block Images) subsystem, the function ubi_free_volume() can be called during error handling when ubi_add_volume() fails. Specifically, if calling cdev_add() or device_register() within ubi_add_volume() may fail, leading to a call to kill_volumes(), which iterates over volumes and calls ubi_free_volume() on each. However, if a volume was not successfully added (e.g., device_register() was never called), ubi_free_volume() still attempts to call cdev_del() and and device_unregister() on that volume, resulting in a null-pointer dereference [1][2][3].
Exploitation
An attacker would need to trigger a failure in the UBI volume creation path, for example by exhausting system resources or causing a race condition that makes cdev_add() or device_register() fail. This requires local access to the system and the ability to manipulate UBI volumes (e.g., via ubiattach or ubimkexec). No special privileges are not strictly required if the attacker can create and then cause a failure in volume creation, but typical scenarios involve a local user with access to UBI control interfaces.
Impact
A successful exploitation leads to a kernel crash (denial of service) due to a null-pointer dereference. This can cause system instability or a complete system hang, requiring a reboot. There is no evidence of privilege escalation or data corruption beyond the immediate crash.
Mitigation
The fix, committed in the Linux kernel stable tree, ensures that when ubi_add_volume() fails, the corresponding volume pointer is set to NULL so that kill_volumes() and subsequent ubi_free_volume() calls skip the uninitialized volume. Additionally, resources are properly released in the error path of ubi_add_volume() [1][2][3]. Users should apply the latest stable kernel updates to remediate this vulnerability.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
85558bcf1c58745b2c5ca4d2e234c53e57424fcbc795abe785ec4c8aca5a22ea7195b19509eccdb0760cbc15859bfd326Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- git.kernel.org/stable/c/234c53e57424992e657e6f4acc00d3df0983176fnvd
- git.kernel.org/stable/c/2ea7195b195009ecf0046e55361f393ba96d02dbnvd
- git.kernel.org/stable/c/45b2c5ca4d2edae70f19fdb086bd927840c4c309nvd
- git.kernel.org/stable/c/5558bcf1c58720ca6e9d6198d921cb3aa337f038nvd
- git.kernel.org/stable/c/5ec4c8aca5a221756a9007deadfea92795319feenvd
- git.kernel.org/stable/c/9eccdb0760cbcb4427b5303a83a3007de998af51nvd
- git.kernel.org/stable/c/c15859bfd326c10230f09cb48a17f8a35f190342nvd
- git.kernel.org/stable/c/fcbc795abe7897da4b5d2a6ab5010e36774b00c2nvd
News mentions
0No linked articles in our index yet.