VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 30, 2025· Updated Apr 15, 2026

CVE-2023-54234

CVE-2023-54234

Description

In the Linux kernel, the following vulnerability has been resolved:

scsi: mpi3mr: Fix missing mrioc->evtack_cmds initialization

Commit c1af985d27da ("scsi: mpi3mr: Add Event acknowledgment logic") introduced an array mrioc->evtack_cmds but initialization of the array elements was missed. They are just zero cleared. The function mpi3mr_complete_evt_ack() refers host_tag field of the elements. Due to the zero value of the host_tag field, the function calls clear_bit() for mrico->evtack_cmds_bitmap with wrong bit index. This results in memory access to invalid address and "BUG: KASAN: use-after-free". This BUG was observed at eHBA-9600 firmware update to version 8.3.1.0. To fix it, add the missing initialization of mrioc->evtack_cmds.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Missing initialization of mrioc->evtack_cmds in Linux kernel's mpi3mr driver leads to use-after-free during firmware update.

Root

Cause

In the Linux kernel's mpi3mr SCSI driver, commit c1af985d27da introduced an array mrioc->evtack_cmds for event acknowledgment logic, but the initialization of its elements was omitted. The array was only zero-cleared, leaving the host_tag field of each element as zero. This oversight causes mpi3mr_complete_evt_ack() to use a wrong bit index when calling clear_bit() on mrico->evtack_cmds_bitmap, leading to memory corruption [1].

Exploitation

The vulnerability manifests during a firmware update of eHBA-9600 controllers to version 8.3.1.0. No special privileges or network access are required beyond the ability to trigger a firmware update on an affected system. The bug is triggered in the normal driver operation path when event acknowledgments are processed, making it reachable without explicit attacker interaction [1].

Impact

Successful exploitation results in a use-after-free condition, as reported by KASAN (Kernel Address Sanitizer). This can lead to system instability, denial of service, or potentially arbitrary code execution in kernel context, depending on memory layout and attacker control over the freed memory [1].

Mitigation

The fix adds the missing initialization of mrioc->evtack_cmds elements. The patch is available in the stable kernel tree and should be applied to any kernel version containing the vulnerable commit [1].

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

3
4e0dfdb48a82
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
67989091e11a
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
e39ea831ebad
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.