CVE-2023-54195
Description
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Fix timeout of a call that hasn't yet been granted a channel
afs_make_call() calls rxrpc_kernel_begin_call() to begin a call (which may get stalled in the background waiting for a connection to become available); it then calls rxrpc_kernel_set_max_life() to set the timeouts - but that starts the call timer so the call timer might then expire before we get a connection assigned - leading to the following oops if the call stalled:
BUG: kernel NULL pointer dereference, address: 0000000000000000 ... CPU: 1 PID: 5111 Comm: krxrpcio/0 Not tainted 6.3.0-rc7-build3+ #701 RIP: 0010:rxrpc_alloc_txbuf+0xc0/0x157 ... Call Trace:
rxrpc_send_ACK+0x50/0x13b rxrpc_input_call_event+0x16a/0x67d rxrpc_io_thread+0x1b6/0x45f ? _raw_spin_unlock_irqrestore+0x1f/0x35 ? rxrpc_input_packet+0x519/0x519 kthread+0xe7/0xef ? kthread_complete_and_exit+0x1b/0x1b ret_from_fork+0x22/0x30
Fix this by noting the timeouts in struct rxrpc_call when the call is created. The timer will be started when the first packet is transmitted.
It shouldn't be possible to trigger this directly from userspace through AF_RXRPC as sendmsg() will return EBUSY if the call is in the waiting-for-conn state if it dropped out of the wait due to a signal.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Linux kernel's rxrpc, a call timer can expire before channel assignment, causing NULL pointer dereference and crash.
Vulnerability
Details
CVE-2023-54195 is a bug in the Linux kernel's AF_RXRPC network protocol implementation, specifically in the call setup path. The root cause is that rxrpc_kernel_set_max_life() starts the call timer immediately, but if the call is stalled waiting for a connection channel to become available, the timer may expire before a channel is assigned. This leads to a NULL pointer dereference in rxrpc_alloc_txbuf() when the timer callback attempts to send an ACK packet, resulting in a kernel oops [1].
Attack
Vector and Prerequisites
The vulnerability is not directly triggerable from userspace via AF_RXRPC sockets because sendmsg() returns EBUSY if the call is in the waiting-for-connection state and is interrupted by a signal. However, internal kernel callers like AFS (Andrew File System) may trigger the race condition. An attacker would need the ability to create and delay AFS calls, possibly by manipulating network conditions or exploiting timing windows, to cause a denial of service [1].
Impact
Successful exploitation results in a kernel NULL pointer dereference, which crashes the system (denial of service). The oops occurs in the kernel's rxrpc worker thread (krxrpcio), making the system unresponsive and requiring a reboot.
Mitigation
The Linux kernel has been patched to fix this issue. The fix ensures that timeout parameters are noted when the call is created, but the timer is only started when the first packet is transmitted. The commit 92128a7170a2 ("rxrpc: Fix timeout of a call that hasn't yet been granted a channel") addresses the bug. Users should apply kernel updates from their distribution to remediate this vulnerability [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
392128a7170a272f4a9f3f447db099c625b13Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.