{"id":"CVE-2023-53826","summary":"ubi: Fix UAF wear-leveling entry in eraseblk_count_seq_show()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nubi: Fix UAF wear-leveling entry in eraseblk_count_seq_show()\n\nWear-leveling entry could be freed in error path, which may be accessed\nagain in eraseblk_count_seq_show(), for example:\n\n__erase_worker                eraseblk_count_seq_show\n                                wl = ubi-\u003elookuptbl[*block_number]\n\t\t\t\tif (wl)\n  wl_entry_destroy\n    ubi-\u003elookuptbl[e-\u003epnum] = NULL\n    kmem_cache_free(ubi_wl_entry_slab, e)\n\t\t                   erase_count = wl-\u003eec  // UAF!\n\nWear-leveling entry updating/accessing in ubi-\u003elookuptbl should be\nprotected by ubi-\u003ewl_lock, fix it by adding ubi-\u003ewl_lock to serialize\nwl entry accessing between wl_entry_destroy() and\neraseblk_count_seq_show().\n\nFetch a reproducer in [Link].","modified":"2026-03-20T12:33:21.763431Z","published":"2025-12-09T01:29:39.679Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53826.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1cb14c06d6035539ef4215c4ba0871aea71d7c38"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3f9b63dfce44a7c3c095dd93d910408e07ab1845"},{"type":"WEB","url":"https://git.kernel.org/stable/c/79548ccdd992707879b4b683b7251c58ddf26f12"},{"type":"WEB","url":"https://git.kernel.org/stable/c/84250da1c63cb7d421a3b4812b5c2ce2e47d31a1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/84253f3c2dad6be10d30c92626c763d9a9f512ad"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9d448dd6bcb61a508204b57ea1f454ba9bac2f24"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a100de2974d208cfca032179b02ed4d1a0a7f143"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a240bc5c43130c6aa50831d7caaa02a1d84e1bce"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53826.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-53826"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"801c135ce73d5df1caf3eca35b66a10824ae0707"},{"fixed":"3f9b63dfce44a7c3c095dd93d910408e07ab1845"},{"fixed":"84250da1c63cb7d421a3b4812b5c2ce2e47d31a1"},{"fixed":"1cb14c06d6035539ef4215c4ba0871aea71d7c38"},{"fixed":"9d448dd6bcb61a508204b57ea1f454ba9bac2f24"},{"fixed":"79548ccdd992707879b4b683b7251c58ddf26f12"},{"fixed":"84253f3c2dad6be10d30c92626c763d9a9f512ad"},{"fixed":"a100de2974d208cfca032179b02ed4d1a0a7f143"},{"fixed":"a240bc5c43130c6aa50831d7caaa02a1d84e1bce"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53826.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.6.22"},{"fixed":"4.14.308"}]},{"type":"ECOSYSTEM","events":[{"introduced":"4.15.0"},{"fixed":"4.19.276"}]},{"type":"ECOSYSTEM","events":[{"introduced":"4.20.0"},{"fixed":"5.4.235"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.5.0"},{"fixed":"5.10.173"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.100"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.18"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.2.5"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53826.json"}}],"schema_version":"1.7.5"}