{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2023-54007", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-12-24T10:53:46.177Z", "datePublished": "2025-12-24T10:55:41.281Z", "dateUpdated": "2025-12-24T10:55:41.281Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-12-24T10:55:41.281Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvmci_host: fix a race condition in vmci_host_poll() causing GPF\n\nDuring fuzzing, a general protection fault is observed in\nvmci_host_poll().\n\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000019: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x00000000000000c8-0x00000000000000cf]\nRIP: 0010:__lock_acquire+0xf3/0x5e00 kernel/locking/lockdep.c:4926\n<- omitting registers ->\nCall Trace:\n <TASK>\n lock_acquire+0x1a4/0x4a0 kernel/locking/lockdep.c:5672\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n _raw_spin_lock_irqsave+0xb3/0x100 kernel/locking/spinlock.c:162\n add_wait_queue+0x3d/0x260 kernel/sched/wait.c:22\n poll_wait include/linux/poll.h:49 [inline]\n vmci_host_poll+0xf8/0x2b0 drivers/misc/vmw_vmci/vmci_host.c:174\n vfs_poll include/linux/poll.h:88 [inline]\n do_pollfd fs/select.c:873 [inline]\n do_poll fs/select.c:921 [inline]\n do_sys_poll+0xc7c/0x1aa0 fs/select.c:1015\n __do_sys_ppoll fs/select.c:1121 [inline]\n __se_sys_ppoll+0x2cc/0x330 fs/select.c:1101\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x4e/0xa0 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nExample thread interleaving that causes the general protection fault\nis as follows:\n\nCPU1 (vmci_host_poll) CPU2 (vmci_host_do_init_context)\n----- -----\n// Read uninitialized context\ncontext = vmci_host_dev->context;\n // Initialize context\n vmci_host_dev->context = vmci_ctx_create();\n vmci_host_dev->ct_type = VMCIOBJ_CONTEXT;\n\nif (vmci_host_dev->ct_type == VMCIOBJ_CONTEXT) {\n // Dereferencing the wrong pointer\n poll_wait(..., &context->host_context);\n}\n\nIn this scenario, vmci_host_poll() reads vmci_host_dev->context first,\nand then reads vmci_host_dev->ct_type to check that\nvmci_host_dev->context is initialized. However, since these two reads\nare not atomically executed, there is a chance of a race condition as\ndescribed above.\n\nTo fix this race condition, read vmci_host_dev->context after checking\nthe value of vmci_host_dev->ct_type so that vmci_host_poll() always\nreads an initialized context."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/misc/vmw_vmci/vmci_host.c"], "versions": [{"version": "8bf503991f87e32ea42a7bd69b79ba084fddc5d7", "lessThan": "2053e93ac15519ed1f1fe6eba79a33a4963be4a3", "status": "affected", "versionType": "git"}, {"version": "8bf503991f87e32ea42a7bd69b79ba084fddc5d7", "lessThan": "ca0f4ad2b7a36c799213ef0a213eb977a51e03dc", "status": "affected", "versionType": "git"}, {"version": "8bf503991f87e32ea42a7bd69b79ba084fddc5d7", "lessThan": "85b4aa4eb2e3a0da111fd0a1cdbf00f986ac6b6b", "status": "affected", "versionType": "git"}, {"version": "8bf503991f87e32ea42a7bd69b79ba084fddc5d7", "lessThan": "770d30b1355c6c8879973dd054fca9168def182c", "status": "affected", "versionType": "git"}, {"version": "8bf503991f87e32ea42a7bd69b79ba084fddc5d7", "lessThan": "d22b2a35729cb1de311cb650cd67518a24e13fc9", "status": "affected", "versionType": "git"}, {"version": "8bf503991f87e32ea42a7bd69b79ba084fddc5d7", "lessThan": "67e35824f861a05b44b19d38e16a83f653bd9d92", "status": "affected", "versionType": "git"}, {"version": "8bf503991f87e32ea42a7bd69b79ba084fddc5d7", "lessThan": "ab64bd32b9fac27ff4737d63711b9db5e5462448", "status": "affected", "versionType": "git"}, {"version": "8bf503991f87e32ea42a7bd69b79ba084fddc5d7", "lessThan": "ae13381da5ff0e8e084c0323c3cc0a945e43e9c7", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/misc/vmw_vmci/vmci_host.c"], "versions": [{"version": "3.9", "status": "affected"}, {"version": "0", "lessThan": "3.9", "status": "unaffected", "versionType": "semver"}, {"version": "4.19.283", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.243", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.180", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.111", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.28", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.2.15", "lessThanOrEqual": "6.2.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.3.2", "lessThanOrEqual": "6.3.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.4", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.9", "versionEndExcluding": "4.19.283"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.9", "versionEndExcluding": "5.4.243"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.9", "versionEndExcluding": "5.10.180"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.9", "versionEndExcluding": "5.15.111"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.9", "versionEndExcluding": "6.1.28"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.9", "versionEndExcluding": "6.2.15"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.9", "versionEndExcluding": "6.3.2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.9", "versionEndExcluding": "6.4"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/2053e93ac15519ed1f1fe6eba79a33a4963be4a3"}, {"url": "https://git.kernel.org/stable/c/ca0f4ad2b7a36c799213ef0a213eb977a51e03dc"}, {"url": "https://git.kernel.org/stable/c/85b4aa4eb2e3a0da111fd0a1cdbf00f986ac6b6b"}, {"url": "https://git.kernel.org/stable/c/770d30b1355c6c8879973dd054fca9168def182c"}, {"url": "https://git.kernel.org/stable/c/d22b2a35729cb1de311cb650cd67518a24e13fc9"}, {"url": "https://git.kernel.org/stable/c/67e35824f861a05b44b19d38e16a83f653bd9d92"}, {"url": "https://git.kernel.org/stable/c/ab64bd32b9fac27ff4737d63711b9db5e5462448"}, {"url": "https://git.kernel.org/stable/c/ae13381da5ff0e8e084c0323c3cc0a945e43e9c7"}], "title": "vmci_host: fix a race condition in vmci_host_poll() causing GPF", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvmci_host: fix a race condition in vmci_host_poll() causing GPF\n\nDuring fuzzing, a general protection fault is observed in\nvmci_host_poll().\n\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000019: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x00000000000000c8-0x00000000000000cf]\nRIP: 0010:__lock_acquire+0xf3/0x5e00 kernel/locking/lockdep.c:4926\n<- omitting registers ->\nCall Trace:\n <TASK>\n lock_acquire+0x1a4/0x4a0 kernel/locking/lockdep.c:5672\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n _raw_spin_lock_irqsave+0xb3/0x100 kernel/locking/spinlock.c:162\n add_wait_queue+0x3d/0x260 kernel/sched/wait.c:22\n poll_wait include/linux/poll.h:49 [inline]\n vmci_host_poll+0xf8/0x2b0 drivers/misc/vmw_vmci/vmci_host.c:174\n vfs_poll include/linux/poll.h:88 [inline]\n do_pollfd fs/select.c:873 [inline]\n do_poll fs/select.c:921 [inline]\n do_sys_poll+0xc7c/0x1aa0 fs/select.c:1015\n __do_sys_ppoll fs/select.c:1121 [inline]\n __se_sys_ppoll+0x2cc/0x330 fs/select.c:1101\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x4e/0xa0 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nExample thread interleaving that causes the general protection fault\nis as follows:\n\nCPU1 (vmci_host_poll) CPU2 (vmci_host_do_init_context)\n----- -----\n// Read uninitialized context\ncontext = vmci_host_dev->context;\n // Initialize context\n vmci_host_dev->context = vmci_ctx_create();\n vmci_host_dev->ct_type = VMCIOBJ_CONTEXT;\n\nif (vmci_host_dev->ct_type == VMCIOBJ_CONTEXT) {\n // Dereferencing the wrong pointer\n poll_wait(..., &context->host_context);\n}\n\nIn this scenario, vmci_host_poll() reads vmci_host_dev->context first,\nand then reads vmci_host_dev->ct_type to check that\nvmci_host_dev->context is initialized. However, since these two reads\nare not atomically executed, there is a chance of a race condition as\ndescribed above.\n\nTo fix this race condition, read vmci_host_dev->context after checking\nthe value of vmci_host_dev->ct_type so that vmci_host_poll() always\nreads an initialized context."}], "id": "CVE-2023-54007", "lastModified": "2025-12-29T15:58:56.260", "metrics": {}, "published": "2025-12-24T11:15:53.633", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2053e93ac15519ed1f1fe6eba79a33a4963be4a3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/67e35824f861a05b44b19d38e16a83f653bd9d92"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/770d30b1355c6c8879973dd054fca9168def182c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/85b4aa4eb2e3a0da111fd0a1cdbf00f986ac6b6b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ab64bd32b9fac27ff4737d63711b9db5e5462448"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ae13381da5ff0e8e084c0323c3cc0a945e43e9c7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ca0f4ad2b7a36c799213ef0a213eb977a51e03dc"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d22b2a35729cb1de311cb650cd67518a24e13fc9"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: vmci_host: fix a race condition in vmci_host_poll() causing GPF", "id": "2424960", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2424960"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nvmci_host: fix a race condition in vmci_host_poll() causing GPF\nDuring fuzzing, a general protection fault is observed in\nvmci_host_poll().\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000019: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x00000000000000c8-0x00000000000000cf]\nRIP: 0010:__lock_acquire+0xf3/0x5e00 kernel/locking/lockdep.c:4926\n<- omitting registers ->\nCall Trace:\n<TASK>\nlock_acquire+0x1a4/0x4a0 kernel/locking/lockdep.c:5672\n__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n_raw_spin_lock_irqsave+0xb3/0x100 kernel/locking/spinlock.c:162\nadd_wait_queue+0x3d/0x260 kernel/sched/wait.c:22\npoll_wait include/linux/poll.h:49 [inline]\nvmci_host_poll+0xf8/0x2b0 drivers/misc/vmw_vmci/vmci_host.c:174\nvfs_poll include/linux/poll.h:88 [inline]\ndo_pollfd fs/select.c:873 [inline]\ndo_poll fs/select.c:921 [inline]\ndo_sys_poll+0xc7c/0x1aa0 fs/select.c:1015\n__do_sys_ppoll fs/select.c:1121 [inline]\n__se_sys_ppoll+0x2cc/0x330 fs/select.c:1101\ndo_syscall_x64 arch/x86/entry/common.c:51 [inline]\ndo_syscall_64+0x4e/0xa0 arch/x86/entry/common.c:82\nentry_SYSCALL_64_after_hwframe+0x46/0xb0\nExample thread interleaving that causes the general protection fault\nis as follows:\nCPU1 (vmci_host_poll) CPU2 (vmci_host_do_init_context)\n----- -----\n// Read uninitialized context\ncontext = vmci_host_dev->context;\n// Initialize context\nvmci_host_dev->context = vmci_ctx_create();\nvmci_host_dev->ct_type = VMCIOBJ_CONTEXT;\nif (vmci_host_dev->ct_type == VMCIOBJ_CONTEXT) {\n// Dereferencing the wrong pointer\npoll_wait(..., &context->host_context);\n}\nIn this scenario, vmci_host_poll() reads vmci_host_dev->context first,\nand then reads vmci_host_dev->ct_type to check that\nvmci_host_dev->context is initialized. However, since these two reads\nare not atomically executed, there is a chance of a race condition as\ndescribed above.\nTo fix this race condition, read vmci_host_dev->context after checking\nthe value of vmci_host_dev->ct_type so that vmci_host_poll() always\nreads an initialized context."], "name": "CVE-2023-54007", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-12-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-54007\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-54007\nhttps://lore.kernel.org/linux-cve-announce/2025122429-CVE-2023-54007-89b1@gregkh/T"], "threat_severity": "Low"}

{}