{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2023-54276", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-12-30T12:06:44.523Z", "datePublished": "2025-12-30T12:16:05.020Z", "dateUpdated": "2025-12-30T12:16:05.020Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-12-30T12:16:05.020Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: move init of percpu reply_cache_stats counters back to nfsd_init_net\n\nCommit f5f9d4a314da (\"nfsd: move reply cache initialization into nfsd\nstartup\") moved the initialization of the reply cache into nfsd startup,\nbut didn't account for the stats counters, which can be accessed before\nnfsd is ever started. The result can be a NULL pointer dereference when\nsomeone accesses /proc/fs/nfsd/reply_cache_stats while nfsd is still\nshut down.\n\nThis is a regression and a user-triggerable oops in the right situation:\n\n- non-x86_64 arch\n- /proc/fs/nfsd is mounted in the namespace\n- nfsd is not started in the namespace\n- unprivileged user calls \"cat /proc/fs/nfsd/reply_cache_stats\"\n\nAlthough this is easy to trigger on some arches (like aarch64), on\nx86_64, calling this_cpu_ptr(NULL) evidently returns a pointer to the\nfixed_percpu_data. That struct looks just enough like a newly\ninitialized percpu var to allow nfsd_reply_cache_stats_show to access\nit without Oopsing.\n\nMove the initialization of the per-net+per-cpu reply-cache counters\nback into nfsd_init_net, while leaving the rest of the reply cache\nallocations to be done at nfsd startup time.\n\nKudos to Eirik who did most of the legwork to track this down."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/nfsd/cache.h", "fs/nfsd/nfscache.c", "fs/nfsd/nfsctl.c"], "versions": [{"version": "4e18b58b106e34ac69d3052dd91f520bd83cf2fc", "lessThan": "3025d489f9c8984d1bf5916c4a20097ed80fca5c", "status": "affected", "versionType": "git"}, {"version": "70fdee548c036c6bdb496f284c9e78f1654b6dd0", "lessThan": "8549384d0f65981761fe2077d04fa2a8d37b54e0", "status": "affected", "versionType": "git"}, {"version": "e7e571ed4ec7bb50136233d8e7b986efef2af8c1", "lessThan": "66a178177b2b3bb1d71e854c5e7bbb320eb0e566", "status": "affected", "versionType": "git"}, {"version": "f5f9d4a314da88c0a5faa6d168bf69081b7a25ae", "lessThan": "768c408594b52d8531e1a8ab62e5620c19213e73", "status": "affected", "versionType": "git"}, {"version": "f5f9d4a314da88c0a5faa6d168bf69081b7a25ae", "lessThan": "ed9ab7346e908496816cffdecd46932035f66e2e", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/nfsd/cache.h", "fs/nfsd/nfscache.c", "fs/nfsd/nfsctl.c"], "versions": [{"version": "6.3", "status": "affected"}, {"version": "0", "lessThan": "6.3", "status": "unaffected", "versionType": "semver"}, {"version": "6.4.4", "lessThanOrEqual": "6.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.5", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "6.4.4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "6.5"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/3025d489f9c8984d1bf5916c4a20097ed80fca5c"}, {"url": "https://git.kernel.org/stable/c/8549384d0f65981761fe2077d04fa2a8d37b54e0"}, {"url": "https://git.kernel.org/stable/c/66a178177b2b3bb1d71e854c5e7bbb320eb0e566"}, {"url": "https://git.kernel.org/stable/c/768c408594b52d8531e1a8ab62e5620c19213e73"}, {"url": "https://git.kernel.org/stable/c/ed9ab7346e908496816cffdecd46932035f66e2e"}], "title": "nfsd: move init of percpu reply_cache_stats counters back to nfsd_init_net", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: move init of percpu reply_cache_stats counters back to nfsd_init_net\n\nCommit f5f9d4a314da (\"nfsd: move reply cache initialization into nfsd\nstartup\") moved the initialization of the reply cache into nfsd startup,\nbut didn't account for the stats counters, which can be accessed before\nnfsd is ever started. The result can be a NULL pointer dereference when\nsomeone accesses /proc/fs/nfsd/reply_cache_stats while nfsd is still\nshut down.\n\nThis is a regression and a user-triggerable oops in the right situation:\n\n- non-x86_64 arch\n- /proc/fs/nfsd is mounted in the namespace\n- nfsd is not started in the namespace\n- unprivileged user calls \"cat /proc/fs/nfsd/reply_cache_stats\"\n\nAlthough this is easy to trigger on some arches (like aarch64), on\nx86_64, calling this_cpu_ptr(NULL) evidently returns a pointer to the\nfixed_percpu_data. That struct looks just enough like a newly\ninitialized percpu var to allow nfsd_reply_cache_stats_show to access\nit without Oopsing.\n\nMove the initialization of the per-net+per-cpu reply-cache counters\nback into nfsd_init_net, while leaving the rest of the reply cache\nallocations to be done at nfsd startup time.\n\nKudos to Eirik who did most of the legwork to track this down."}], "id": "CVE-2023-54276", "lastModified": "2025-12-30T13:16:16.537", "metrics": {}, "published": "2025-12-30T13:16:16.537", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3025d489f9c8984d1bf5916c4a20097ed80fca5c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/66a178177b2b3bb1d71e854c5e7bbb320eb0e566"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/768c408594b52d8531e1a8ab62e5620c19213e73"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8549384d0f65981761fe2077d04fa2a8d37b54e0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ed9ab7346e908496816cffdecd46932035f66e2e"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{}