CVE-2023-53187 (GCVE-0-2023-53187)

Vulnerability from cvelistv5 – Published: 2025-09-15 14:04 – Updated: 2026-05-23 15:28
VLAI
Title
btrfs: fix use-after-free of new block group that became unused
Summary
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix use-after-free of new block group that became unused If a task creates a new block group and that block group becomes unused before we finish its creation, at btrfs_create_pending_block_groups(), then when btrfs_mark_bg_unused() is called against the block group, we assume that the block group is currently in the list of block groups to reclaim, and we move it out of the list of new block groups and into the list of unused block groups. This has two consequences: 1) We move it out of the list of new block groups associated to the current transaction. So the block group creation is not finished and if we attempt to delete the bg because it's unused, we will not find the block group item in the extent tree (or the new block group tree), its device extent items in the device tree etc, resulting in the deletion to fail due to the missing items; 2) We don't increment the reference count on the block group when we move it to the list of unused block groups, because we assumed the block group was on the list of block groups to reclaim, and in that case it already has the correct reference count. However the block group was on the list of new block groups, in which case no extra reference was taken because it's local to the current task. This later results in doing an extra reference count decrement when removing the block group from the unused list, eventually leading the reference count to 0. This second case was caught when running generic/297 from fstests, which produced the following assertion failure and stack trace: [589.559] assertion failed: refcount_read(&block_group->refs) == 1, in fs/btrfs/block-group.c:4299 [589.559] ------------[ cut here ]------------ [589.559] kernel BUG at fs/btrfs/block-group.c:4299! [589.560] invalid opcode: 0000 [#1] PREEMPT SMP PTI [589.560] CPU: 8 PID: 2819134 Comm: umount Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1 [589.560] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 [589.560] RIP: 0010:btrfs_free_block_groups+0x449/0x4a0 [btrfs] [589.561] Code: 68 62 da c0 (...) [589.561] RSP: 0018:ffffa55a8c3b3d98 EFLAGS: 00010246 [589.561] RAX: 0000000000000058 RBX: ffff8f030d7f2000 RCX: 0000000000000000 [589.562] RDX: 0000000000000000 RSI: ffffffff953f0878 RDI: 00000000ffffffff [589.562] RBP: ffff8f030d7f2088 R08: 0000000000000000 R09: ffffa55a8c3b3c50 [589.562] R10: 0000000000000001 R11: 0000000000000001 R12: ffff8f05850b4c00 [589.562] R13: ffff8f030d7f2090 R14: ffff8f05850b4cd8 R15: dead000000000100 [589.563] FS: 00007f497fd2e840(0000) GS:ffff8f09dfc00000(0000) knlGS:0000000000000000 [589.563] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [589.563] CR2: 00007f497ff8ec10 CR3: 0000000271472006 CR4: 0000000000370ee0 [589.563] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [589.564] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [589.564] Call Trace: [589.564] <TASK> [589.565] ? __die_body+0x1b/0x60 [589.565] ? die+0x39/0x60 [589.565] ? do_trap+0xeb/0x110 [589.565] ? btrfs_free_block_groups+0x449/0x4a0 [btrfs] [589.566] ? do_error_trap+0x6a/0x90 [589.566] ? btrfs_free_block_groups+0x449/0x4a0 [btrfs] [589.566] ? exc_invalid_op+0x4e/0x70 [589.566] ? btrfs_free_block_groups+0x449/0x4a0 [btrfs] [589.567] ? asm_exc_invalid_op+0x16/0x20 [589.567] ? btrfs_free_block_groups+0x449/0x4a0 [btrfs] [589.567] ? btrfs_free_block_groups+0x449/0x4a0 [btrfs] [589.567] close_ctree+0x35d/0x560 [btrfs] [589.568] ? fsnotify_sb_delete+0x13e/0x1d0 [589.568] ? dispose_list+0x3a/0x50 [589.568] ? evict_inodes+0x151/0x1a0 [589.568] generic_shutdown_super+0x73/0x1a0 [589.569] kill_anon_super+0x14/0x30 [589.569] btrfs_kill_super+0x12/0x20 [btrfs] [589.569] deactivate_locked ---truncated---
Severity
7.8 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 01eca70ef8cf499d0cb6d1bbd691558e7792cf17 , < 6297644db23f77c02ae7961cc542d162629ae2c4 (git)
Affected: 5d19abcffd8404078dfa7d7118cec357b5e7bc58 , < 7569c4294ba6ff9f194635b14876198f8a687c4a (git)
Affected: a9f189716cf15913c453299d72f69c51a9b0f86b , < 0657b20c5a76c938612f8409735a8830d257866e (git)
Affected: edf3b5aadb2515c808200b904baa5b70a727f0ac (git)
Affected: 5.15.128 , < 5.16 (semver)
Create a notification for this product.
Linux Linux Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/block-group.c",
            "fs/btrfs/block-group.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6297644db23f77c02ae7961cc542d162629ae2c4",
              "status": "affected",
              "version": "01eca70ef8cf499d0cb6d1bbd691558e7792cf17",
              "versionType": "git"
            },
            {
              "lessThan": "7569c4294ba6ff9f194635b14876198f8a687c4a",
              "status": "affected",
              "version": "5d19abcffd8404078dfa7d7118cec357b5e7bc58",
              "versionType": "git"
            },
            {
              "lessThan": "0657b20c5a76c938612f8409735a8830d257866e",
              "status": "affected",
              "version": "a9f189716cf15913c453299d72f69c51a9b0f86b",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "edf3b5aadb2515c808200b904baa5b70a727f0ac",
              "versionType": "git"
            },
            {
              "lessThan": "5.16",
              "status": "affected",
              "version": "5.15.128",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/block-group.c",
            "fs/btrfs/block-group.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux"
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.15.128",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix use-after-free of new block group that became unused\n\nIf a task creates a new block group and that block group becomes unused\nbefore we finish its creation, at btrfs_create_pending_block_groups(),\nthen when btrfs_mark_bg_unused() is called against the block group, we\nassume that the block group is currently in the list of block groups to\nreclaim, and we move it out of the list of new block groups and into the\nlist of unused block groups. This has two consequences:\n\n1) We move it out of the list of new block groups associated to the\n   current transaction. So the block group creation is not finished and\n   if we attempt to delete the bg because it\u0027s unused, we will not find\n   the block group item in the extent tree (or the new block group tree),\n   its device extent items in the device tree etc, resulting in the\n   deletion to fail due to the missing items;\n\n2) We don\u0027t increment the reference count on the block group when we\n   move it to the list of unused block groups, because we assumed the\n   block group was on the list of block groups to reclaim, and in that\n   case it already has the correct reference count. However the block\n   group was on the list of new block groups, in which case no extra\n   reference was taken because it\u0027s local to the current task. This\n   later results in doing an extra reference count decrement when\n   removing the block group from the unused list, eventually leading the\n   reference count to 0.\n\nThis second case was caught when running generic/297 from fstests, which\nproduced the following assertion failure and stack trace:\n\n  [589.559] assertion failed: refcount_read(\u0026block_group-\u003erefs) == 1, in fs/btrfs/block-group.c:4299\n  [589.559] ------------[ cut here ]------------\n  [589.559] kernel BUG at fs/btrfs/block-group.c:4299!\n  [589.560] invalid opcode: 0000 [#1] PREEMPT SMP PTI\n  [589.560] CPU: 8 PID: 2819134 Comm: umount Tainted: G        W          6.4.0-rc6-btrfs-next-134+ #1\n  [589.560] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014\n  [589.560] RIP: 0010:btrfs_free_block_groups+0x449/0x4a0 [btrfs]\n  [589.561] Code: 68 62 da c0 (...)\n  [589.561] RSP: 0018:ffffa55a8c3b3d98 EFLAGS: 00010246\n  [589.561] RAX: 0000000000000058 RBX: ffff8f030d7f2000 RCX: 0000000000000000\n  [589.562] RDX: 0000000000000000 RSI: ffffffff953f0878 RDI: 00000000ffffffff\n  [589.562] RBP: ffff8f030d7f2088 R08: 0000000000000000 R09: ffffa55a8c3b3c50\n  [589.562] R10: 0000000000000001 R11: 0000000000000001 R12: ffff8f05850b4c00\n  [589.562] R13: ffff8f030d7f2090 R14: ffff8f05850b4cd8 R15: dead000000000100\n  [589.563] FS:  00007f497fd2e840(0000) GS:ffff8f09dfc00000(0000) knlGS:0000000000000000\n  [589.563] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  [589.563] CR2: 00007f497ff8ec10 CR3: 0000000271472006 CR4: 0000000000370ee0\n  [589.563] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n  [589.564] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n  [589.564] Call Trace:\n  [589.564]  \u003cTASK\u003e\n  [589.565]  ? __die_body+0x1b/0x60\n  [589.565]  ? die+0x39/0x60\n  [589.565]  ? do_trap+0xeb/0x110\n  [589.565]  ? btrfs_free_block_groups+0x449/0x4a0 [btrfs]\n  [589.566]  ? do_error_trap+0x6a/0x90\n  [589.566]  ? btrfs_free_block_groups+0x449/0x4a0 [btrfs]\n  [589.566]  ? exc_invalid_op+0x4e/0x70\n  [589.566]  ? btrfs_free_block_groups+0x449/0x4a0 [btrfs]\n  [589.567]  ? asm_exc_invalid_op+0x16/0x20\n  [589.567]  ? btrfs_free_block_groups+0x449/0x4a0 [btrfs]\n  [589.567]  ? btrfs_free_block_groups+0x449/0x4a0 [btrfs]\n  [589.567]  close_ctree+0x35d/0x560 [btrfs]\n  [589.568]  ? fsnotify_sb_delete+0x13e/0x1d0\n  [589.568]  ? dispose_list+0x3a/0x50\n  [589.568]  ? evict_inodes+0x151/0x1a0\n  [589.568]  generic_shutdown_super+0x73/0x1a0\n  [589.569]  kill_anon_super+0x14/0x30\n  [589.569]  btrfs_kill_super+0x12/0x20 [btrfs]\n  [589.569]  deactivate_locked\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T15:28:10.504Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6297644db23f77c02ae7961cc542d162629ae2c4"
        },
        {
          "url": "https://git.kernel.org/stable/c/7569c4294ba6ff9f194635b14876198f8a687c4a"
        },
        {
          "url": "https://git.kernel.org/stable/c/0657b20c5a76c938612f8409735a8830d257866e"
        }
      ],
      "title": "btrfs: fix use-after-free of new block group that became unused",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-53187",
    "datePublished": "2025-09-15T14:04:40.019Z",
    "dateReserved": "2025-09-15T13:59:19.066Z",
    "dateUpdated": "2026-05-23T15:28:10.504Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2023-53187",
      "date": "2026-06-30",
      "epss": "0.00148",
      "percentile": "0.04414"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-53187\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-09-15T14:15:40.907\",\"lastModified\":\"2026-06-17T06:44:27.880\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: fix use-after-free of new block group that became unused\\n\\nIf a task creates a new block group and that block group becomes unused\\nbefore we finish its creation, at btrfs_create_pending_block_groups(),\\nthen when btrfs_mark_bg_unused() is called against the block group, we\\nassume that the block group is currently in the list of block groups to\\nreclaim, and we move it out of the list of new block groups and into the\\nlist of unused block groups. This has two consequences:\\n\\n1) We move it out of the list of new block groups associated to the\\n   current transaction. So the block group creation is not finished and\\n   if we attempt to delete the bg because it\u0027s unused, we will not find\\n   the block group item in the extent tree (or the new block group tree),\\n   its device extent items in the device tree etc, resulting in the\\n   deletion to fail due to the missing items;\\n\\n2) We don\u0027t increment the reference count on the block group when we\\n   move it to the list of unused block groups, because we assumed the\\n   block group was on the list of block groups to reclaim, and in that\\n   case it already has the correct reference count. However the block\\n   group was on the list of new block groups, in which case no extra\\n   reference was taken because it\u0027s local to the current task. This\\n   later results in doing an extra reference count decrement when\\n   removing the block group from the unused list, eventually leading the\\n   reference count to 0.\\n\\nThis second case was caught when running generic/297 from fstests, which\\nproduced the following assertion failure and stack trace:\\n\\n  [589.559] assertion failed: refcount_read(\u0026block_group-\u003erefs) == 1, in fs/btrfs/block-group.c:4299\\n  [589.559] ------------[ cut here ]------------\\n  [589.559] kernel BUG at fs/btrfs/block-group.c:4299!\\n  [589.560] invalid opcode: 0000 [#1] PREEMPT SMP PTI\\n  [589.560] CPU: 8 PID: 2819134 Comm: umount Tainted: G        W          6.4.0-rc6-btrfs-next-134+ #1\\n  [589.560] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014\\n  [589.560] RIP: 0010:btrfs_free_block_groups+0x449/0x4a0 [btrfs]\\n  [589.561] Code: 68 62 da c0 (...)\\n  [589.561] RSP: 0018:ffffa55a8c3b3d98 EFLAGS: 00010246\\n  [589.561] RAX: 0000000000000058 RBX: ffff8f030d7f2000 RCX: 0000000000000000\\n  [589.562] RDX: 0000000000000000 RSI: ffffffff953f0878 RDI: 00000000ffffffff\\n  [589.562] RBP: ffff8f030d7f2088 R08: 0000000000000000 R09: ffffa55a8c3b3c50\\n  [589.562] R10: 0000000000000001 R11: 0000000000000001 R12: ffff8f05850b4c00\\n  [589.562] R13: ffff8f030d7f2090 R14: ffff8f05850b4cd8 R15: dead000000000100\\n  [589.563] FS:  00007f497fd2e840(0000) GS:ffff8f09dfc00000(0000) knlGS:0000000000000000\\n  [589.563] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n  [589.563] CR2: 00007f497ff8ec10 CR3: 0000000271472006 CR4: 0000000000370ee0\\n  [589.563] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n  [589.564] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n  [589.564] Call Trace:\\n  [589.564]  \u003cTASK\u003e\\n  [589.565]  ? __die_body+0x1b/0x60\\n  [589.565]  ? die+0x39/0x60\\n  [589.565]  ? do_trap+0xeb/0x110\\n  [589.565]  ? btrfs_free_block_groups+0x449/0x4a0 [btrfs]\\n  [589.566]  ? do_error_trap+0x6a/0x90\\n  [589.566]  ? btrfs_free_block_groups+0x449/0x4a0 [btrfs]\\n  [589.566]  ? exc_invalid_op+0x4e/0x70\\n  [589.566]  ? btrfs_free_block_groups+0x449/0x4a0 [btrfs]\\n  [589.567]  ? asm_exc_invalid_op+0x16/0x20\\n  [589.567]  ? btrfs_free_block_groups+0x449/0x4a0 [btrfs]\\n  [589.567]  ? btrfs_free_block_groups+0x449/0x4a0 [btrfs]\\n  [589.567]  close_ctree+0x35d/0x560 [btrfs]\\n  [589.568]  ? fsnotify_sb_delete+0x13e/0x1d0\\n  [589.568]  ? dispose_list+0x3a/0x50\\n  [589.568]  ? evict_inodes+0x151/0x1a0\\n  [589.568]  generic_shutdown_super+0x73/0x1a0\\n  [589.569]  kill_anon_super+0x14/0x30\\n  [589.569]  btrfs_kill_super+0x12/0x20 [btrfs]\\n  [589.569]  deactivate_locked\\n---truncated---\"}],\"affected\":[{\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"affectedData\":[{\"vendor\":\"Linux\",\"product\":\"Linux\",\"defaultStatus\":\"unaffected\",\"programFiles\":[\"fs/btrfs/block-group.c\",\"fs/btrfs/block-group.h\"],\"repo\":\"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\",\"versions\":[{\"version\":\"01eca70ef8cf499d0cb6d1bbd691558e7792cf17\",\"lessThan\":\"6297644db23f77c02ae7961cc542d162629ae2c4\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"5d19abcffd8404078dfa7d7118cec357b5e7bc58\",\"lessThan\":\"7569c4294ba6ff9f194635b14876198f8a687c4a\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"a9f189716cf15913c453299d72f69c51a9b0f86b\",\"lessThan\":\"0657b20c5a76c938612f8409735a8830d257866e\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"edf3b5aadb2515c808200b904baa5b70a727f0ac\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"5.15.128\",\"lessThan\":\"5.16\",\"versionType\":\"semver\",\"status\":\"affected\"}]},{\"vendor\":\"Linux\",\"product\":\"Linux\",\"defaultStatus\":\"unaffected\",\"programFiles\":[\"fs/btrfs/block-group.c\",\"fs/btrfs/block-group.h\"],\"repo\":\"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\"}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.15.128\",\"versionEndExcluding\":\"5.16\",\"matchCriteriaId\":\"F22B9A69-E286-47B2-9428-20C5AB28617F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.5:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"0B3E6E4D-E24E-4630-B00C-8C9901C597B0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.5:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"E4A01A71-0F09-4DB2-A02F-7EFFBE27C98D\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0657b20c5a76c938612f8409735a8830d257866e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/6297644db23f77c02ae7961cc542d162629ae2c4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/7569c4294ba6ff9f194635b14876198f8a687c4a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.