CVE-2023-54173
Description
In the Linux kernel, the following vulnerability has been resolved:
bpf: Disable preemption in bpf_event_output
We received report [1] of kernel crash, which is caused by using nesting protection without disabled preemption.
The bpf_event_output can be called by programs executed by bpf_prog_run_array_cg function that disabled migration but keeps preemption enabled.
This can cause task to be preempted by another one inside the nesting protection and lead eventually to two tasks using same perf_sample_data buffer and cause crashes like:
BUG: kernel NULL pointer dereference, address: 0000000000000001 #PF: supervisor instruction fetch in kernel mode #PF: error_code(0x0010) - not-present page ... ? perf_output_sample+0x12a/0x9a0 ? finish_task_switch.isra.0+0x81/0x280 ? perf_event_output+0x66/0xa0 ? bpf_event_output+0x13a/0x190 ? bpf_event_output_data+0x22/0x40 ? bpf_prog_dfc84bbde731b257_cil_sock4_connect+0x40a/0xacb ? xa_load+0x87/0xe0 ? __cgroup_bpf_run_filter_sock_addr+0xc1/0x1a0 ? release_sock+0x3e/0x90 ? sk_setsockopt+0x1a1/0x12f0 ? udp_pre_connect+0x36/0x50 ? inet_dgram_connect+0x93/0xa0 ? __sys_connect+0xb4/0xe0 ? udp_setsockopt+0x27/0x40 ? __pfx_udp_push_pending_frames+0x10/0x10 ? __sys_setsockopt+0xdf/0x1a0 ? __x64_sys_connect+0xf/0x20 ? do_syscall_64+0x3a/0x90 ? entry_SYSCALL_64_after_hwframe+0x72/0xdc
Fixing this by disabling preemption in bpf_event_output.
[1] https://github.com/cilium/cilium/issues/26756
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in Linux kernel's bpf_event_output due to missing preemption disable causes a NULL pointer dereference and kernel crash.
Vulnerability
CVE-2023-54173 is a vulnerability in the Linux kernel's BPF subsystem, specifically in the bpf_event_output function. The root cause is that this function uses nesting protection without disabling preemption, which can lead to a race condition. When bpf_event_output is called by programs executed via bpf_prog_run_array_cg, migration is disabled but preemption remains enabled. This allows a task to be preempted inside the nesting protection, potentially causing two tasks to concurrently use the same perf_sample_data buffer [1].
Exploitation
An attacker with the capability to load and execute BPF programs that trigger bpf_event_output could exploit this race condition. The attack surface includes BPF programs attached to cgroup hooks (e.g., socket connect filters), which are commonly used in container environments. No authentication beyond the ability to load BPF programs is required; in many setups, this is restricted to privileged users.
Impact
Successful exploitation can cause a kernel NULL pointer dereference, leading to a denial of service (system crash). The crash trace shows a fault in perf_output_sample and related functions, confirming that the race corrupts kernel memory [1]. The vulnerability was discovered in a Cilium issue [1], indicating it is exploitable in real-world deployments that rely on BPF for networking.
Mitigation
The fix disables preemption inside bpf_event_output, preventing the race condition. The patch was committed to the Linux kernel stable tree on 2025-12-30 [1][2]. Users should apply the kernel update that includes this commit. No workaround is available; the vulnerability is fixed in the kernel source.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
53048cb0dc0ccc81bdf8f9f2b36dd8ca330b7063c9ce8e74ed62cc390c2e9Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/063c9ce8e74e07bf94f99cd13146f42867875e8bnvd
- git.kernel.org/stable/c/3048cb0dc0cc9dc74ed93690dffef00733bcad5bnvd
- git.kernel.org/stable/c/36dd8ca330b76585640ed32255a3c99f901e1502nvd
- git.kernel.org/stable/c/c81bdf8f9f2b002d217c3d5357cdea9f2b82ff90nvd
- git.kernel.org/stable/c/d62cc390c2e99ae267ffe4b8d7e2e08b6c758c32nvd
News mentions
0No linked articles in our index yet.