VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 30, 2025· Updated Apr 15, 2026

CVE-2023-54323

CVE-2023-54323

Description

In the Linux kernel, the following vulnerability has been resolved:

cxl/pmem: Fix nvdimm registration races

A loop of the form:

while true; do modprobe cxl_pci; modprobe -r cxl_pci; done

...fails with the following crash signature:

BUG: kernel NULL pointer dereference, address: 0000000000000040 [..] RIP: 0010:cxl_internal_send_cmd+0x5/0xb0 [cxl_core] [..] Call Trace:

cxl_pmem_ctl+0x121/0x240 [cxl_pmem] nvdimm_get_config_data+0xd6/0x1a0 [libnvdimm] nd_label_data_init+0x135/0x7e0 [libnvdimm] nvdimm_probe+0xd6/0x1c0 [libnvdimm] nvdimm_bus_probe+0x7a/0x1e0 [libnvdimm] really_probe+0xde/0x380 __driver_probe_device+0x78/0x170 driver_probe_device+0x1f/0x90 __device_attach_driver+0x85/0x110 bus_for_each_drv+0x7d/0xc0 __device_attach+0xb4/0x1e0 bus_probe_device+0x9f/0xc0 device_add+0x445/0x9c0 nd_async_device_register+0xe/0x40 [libnvdimm] async_run_entry_fn+0x30/0x130

...namely that the bottom half of async nvdimm device registration runs after the CXL has already torn down the context that cxl_pmem_ctl() needs. Unlike the ACPI NFIT case that benefits from launching multiple nvdimm device registrations in parallel from those listed in the table, CXL is already marked PROBE_PREFER_ASYNCHRONOUS. So provide for a synchronous registration path to preclude this scenario.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A race condition in Linux kernel CXL PMEM driver causes NULL pointer dereference during concurrent module load/unload, fixed by adding a synchronous nvdimm registration path.

Vulnerability

Overview

CVE-2023-54323 is a race condition in the Linux kernel's CXL PMEM subsystem, specifically in the cxl_pmem driver. The bug occurs during concurrent module load/unload operations (e.g., a loop of modprobe cxl_pci insertions and removals), leading to a NULL pointer dereference in cxl_internal_send_cmd() [1]. The root cause is that the asynchronous bottom half of nvdimm device registration can run after the CXL context required for cxl_pmem_ctl() has already been torn down.

Exploitation

Mechanism

No special privileges are required; an attacker with the ability to load and unload kernel modules or trigger device hotplug events on a system using CXL persistent memory (e.g., through administrative access) can exploit this race. The vulnerability is triggered by a specific temporal ordering: the nvdimm registration (async) outlives the CXL driver removal, so when both the driver and its underlying CXL objects are already freed.

Impact

A successful exploit causes a kernel NULL pointer dereference, leading to a system crash (denial of service). The crash trace shows the failure propagates from cxl_pmem_ctl through nvdimm_get_config_data and finally into the nvdimm probe path.

Mitigation

Status

The fix, provided in kernel commits [1][2][3], introduces a synchronous registration path for nvdimm devices. This ensures that the registration completes before the CXL driver context can be removed, avoiding the race. Users should apply the patch or update to a kernel version containing the fix.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

3
a371788d4f4a
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
18c65667fa91
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
f57aec443c24
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.