VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 30, 2025· Updated Apr 15, 2026

CVE-2023-54269

CVE-2023-54269

Description

In the Linux kernel, the following vulnerability has been resolved:

SUNRPC: double free xprt_ctxt while still in use

When an RPC request is deferred, the rq_xprt_ctxt pointer is moved out of the svc_rqst into the svc_deferred_req. When the deferred request is revisited, the pointer is copied into the new svc_rqst - and also remains in the svc_deferred_req.

In the (rare?) case that the request is deferred a second time, the old svc_deferred_req is reused - it still has all the correct content. However in that case the rq_xprt_ctxt pointer is NOT cleared so that when xpo_release_xprt is called, the ctxt is freed (UDP) or possible added to a free list (RDMA). When the deferred request is revisited for a second time, it will reference this ctxt which may be invalid, and the free the object a second time which is likely to oops.

So change svc_defer() to *always* clear rq_xprt_ctxt, and assert that the value is now stored in the svc_deferred_req.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A double-free vulnerability in the Linux kernel's SUNRPC service can corrupt memory when a request is deferred multiple times.

Vulnerability

In the Linux kernel's SUNRPC implementation, a double-free vulnerability exists in the handling of deferred RPC requests. When an RPC request is deferred, the rq_xprt_ctxt pointer is moved from the svc_rqst structure into the svc_deferred_req structure. Upon revisiting the deferred request, the pointer is copied into a new svc_rqst but remains in the svc_deferred_req. If the same request is deferred a second time (a rare scenario), the old svc_deferred_req is reused without clearing the rq_xprt_ctxt pointer. This leads to the context being freed (for UDP) or added to a free list (for RDMA) when xpo_release_xprt is called, while the pointer still exists in the deferred request.

Exploitation

An attacker would need to trigger the specific sequence of events where a request is deferred twice, and subsequently revisited. This is described as a "rare" case, likely requiring specific network conditions or crafted RPC messages. No authentication is explicitly mentioned, but the attack surface is the kernel's network service handling SUNRPC requests. The vulnerability resides in the svc_defer() function, where the fix clears rq_xprt_ctxt after storing it in the deferred request.

Impact

A successful exploit could lead to memory corruption, as freeing the same object twice (double-free) can cause a kernel oops (crash) or potentially be leveraged for privilege escalation. The impact is a denial of service (system crash) with a possibility of arbitrary code execution depending on the kernel memory allocator state.

Mitigation

The vulnerability is fixed in the Linux kernel. Patches have been applied to the stable kernel tree, as referenced in commits [1] and [2]. Users should update to a kernel version containing the fix.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

4
7851771789e8
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
fd86534872f4
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
e0c648627322
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
eb8d3a2c809a
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.