CVE-2023-54184
Description
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: iscsit: Free cmds before session free
Commands from recovery entries are freed after session has been closed. That leads to use-after-free at command free or NPE with such call trace:
Time2Retain timer expired for SID: 1, cleaning up iSCSI session. BUG: kernel NULL pointer dereference, address: 0000000000000140 RIP: 0010:sbitmap_queue_clear+0x3a/0xa0 Call Trace: target_release_cmd_kref+0xd1/0x1f0 [target_core_mod] transport_generic_free_cmd+0xd1/0x180 [target_core_mod] iscsit_free_cmd+0x53/0xd0 [iscsi_target_mod] iscsit_free_connection_recovery_entries+0x29d/0x320 [iscsi_target_mod] iscsit_close_session+0x13a/0x140 [iscsi_target_mod] iscsit_check_post_dataout+0x440/0x440 [iscsi_target_mod] call_timer_fn+0x24/0x140
Move cleanup of recovery enrties to before session freeing.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free in Linux iSCSI target occurs when recovery commands are freed after session close; patch moves cleanup before session free.
Vulnerability
CVE-2023-54184 is a use-after-free vulnerability in the Linux kernel's iSCSI target subsystem (iscsi_target_mod). The root cause is that commands associated with connection recovery entries are freed *after* the iSCSI session has been closed, leading to a race condition where the session cleanup code may attempt to access already-freed memory or cause a NULL pointer dereference.
Exploitation
The issue is triggered when the Time2Retain timer expires for an iSCSI session, initiating session teardown. The call trace shows a NULL pointer dereference in sbitmap_queue_clear followed by functions in the target core and iSCSI target modules. An attacker with the ability to cause session disconnection or manipulate recovery entries on an active iSCSI target could trigger this race condition.
Impact
A successful exploit can cause a denial of service via kernel crash (oops). In the worst case, the use-after-free may be leveraged for arbitrary code execution, though the provided description focuses on the NULL pointer dereference and crash scenario.
Mitigation
The fix, applied in stable kernel commits, moves the cleanup of recovery entries to before the session is freed [1][2]. All Linux distributions that include the vulnerable code should apply the corresponding stable kernel update.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
689f5055f9b0b4621e24c92571911cca5916ba7a4def6c7044ce221d295f5d8990b5a4d06Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- git.kernel.org/stable/c/1911cca5916b6e106de7afa3ec0a38447158216cnvd
- git.kernel.org/stable/c/4621e24c9257c6379343bf0c11b473817cf7edcdnvd
- git.kernel.org/stable/c/4ce221d295f53e6c6b835ab33181e735482c9aacnvd
- git.kernel.org/stable/c/89f5055f9b0b57c7e7f02e32df95ef401f809b71nvd
- git.kernel.org/stable/c/a7a4def6c7046e090bb10c6d550fdeb487db98banvd
- git.kernel.org/stable/c/d8990b5a4d065f38f35d69bcd627ec5a7f8330canvd
News mentions
0No linked articles in our index yet.