{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-53083", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-05-02T15:51:43.550Z", "datePublished": "2025-05-02T15:55:31.699Z", "dateUpdated": "2025-05-04T07:49:24.528Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T07:49:24.528Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: don't replace page in rq_pages if it's a continuation of last page\n\nThe splice read calls nfsd_splice_actor to put the pages containing file\ndata into the svc_rqst->rq_pages array. It's possible however to get a\nsplice result that only has a partial page at the end, if (e.g.) the\nfilesystem hands back a short read that doesn't cover the whole page.\n\nnfsd_splice_actor will plop the partial page into its rq_pages array and\nreturn. Then later, when nfsd_splice_actor is called again, the\nremainder of the page may end up being filled out. At this point,\nnfsd_splice_actor will put the page into the array _again_ corrupting\nthe reply. If this is done enough times, rq_next_page will overrun the\narray and corrupt the trailing fields -- the rq_respages and\nrq_next_page pointers themselves.\n\nIf we've already added the page to the array in the last pass, don't add\nit to the array a second time when dealing with a splice continuation.\nThis was originally handled properly in nfsd_splice_actor, but commit\n91e23b1c3982 (\"NFSD: Clean up nfsd_splice_actor()\") removed the check\nfor it."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/nfsd/vfs.c"], "versions": [{"version": "bf1cbe2f3650b4f4a8add6af933c6d7f6af1f361", "lessThan": "8235cd619db6e67f1d7d26c55f1f3e4e575c947d", "status": "affected", "versionType": "git"}, {"version": "56bc7e3821e847a6cc8027ddaba32e9a440225a5", "lessThan": "12eca509234acb6b666802edf77408bb70d7bfca", "status": "affected", "versionType": "git"}, {"version": "91e23b1c39820bfed642119ff6b6ef9f43cf09ce", "lessThan": "51ddb84baff6f09ad62b5999ece3ec172e4e3568", "status": "affected", "versionType": "git"}, {"version": "91e23b1c39820bfed642119ff6b6ef9f43cf09ce", "lessThan": "0101067f376eb7b9afd00279270f25d5111a091d", "status": "affected", "versionType": "git"}, {"version": "91e23b1c39820bfed642119ff6b6ef9f43cf09ce", "lessThan": "27c934dd8832dd40fd34776f916dc201e18b319b", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/nfsd/vfs.c"], "versions": [{"version": "5.19", "status": "affected"}, {"version": "0", "lessThan": "5.19", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.22", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.2.9", "lessThanOrEqual": "6.2.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.19", "versionEndExcluding": "6.1.22"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.19", "versionEndExcluding": "6.2.9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.19", "versionEndExcluding": "6.3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/8235cd619db6e67f1d7d26c55f1f3e4e575c947d"}, {"url": "https://git.kernel.org/stable/c/12eca509234acb6b666802edf77408bb70d7bfca"}, {"url": "https://git.kernel.org/stable/c/51ddb84baff6f09ad62b5999ece3ec172e4e3568"}, {"url": "https://git.kernel.org/stable/c/0101067f376eb7b9afd00279270f25d5111a091d"}, {"url": "https://git.kernel.org/stable/c/27c934dd8832dd40fd34776f916dc201e18b319b"}], "title": "nfsd: don't replace page in rq_pages if it's a continuation of last page", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "3ABED26E-DCA7-48C4-B7FC-6722DF89A2D2", "versionEndExcluding": "6.1.22", "versionStartIncluding": "5.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "914F22DD-1E6F-4B0A-A14D-3A9F068F6761", "versionEndExcluding": "6.2.9", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.3:rc1:*:*:*:*:*:*", "matchCriteriaId": "B8E3B0E8-FA27-4305-87BB-AF6C25B160CB", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.3:rc2:*:*:*:*:*:*", "matchCriteriaId": "A47F0FC3-CE52-4BA1-BA51-22F783938431", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.3:rc3:*:*:*:*:*:*", "matchCriteriaId": "3583026A-27EC-4A4C-850A-83F2AF970673", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: don't replace page in rq_pages if it's a continuation of last page\n\nThe splice read calls nfsd_splice_actor to put the pages containing file\ndata into the svc_rqst->rq_pages array. It's possible however to get a\nsplice result that only has a partial page at the end, if (e.g.) the\nfilesystem hands back a short read that doesn't cover the whole page.\n\nnfsd_splice_actor will plop the partial page into its rq_pages array and\nreturn. Then later, when nfsd_splice_actor is called again, the\nremainder of the page may end up being filled out. At this point,\nnfsd_splice_actor will put the page into the array _again_ corrupting\nthe reply. If this is done enough times, rq_next_page will overrun the\narray and corrupt the trailing fields -- the rq_respages and\nrq_next_page pointers themselves.\n\nIf we've already added the page to the array in the last pass, don't add\nit to the array a second time when dealing with a splice continuation.\nThis was originally handled properly in nfsd_splice_actor, but commit\n91e23b1c3982 (\"NFSD: Clean up nfsd_splice_actor()\") removed the check\nfor it."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nfsd: no reemplace la p\u00e1gina en rq_pages si es una continuaci\u00f3n de la \u00faltima p\u00e1gina la lectura de empalme llama a nfsd_splice_actor para poner las p\u00e1ginas que contienen datos de archivo en la matriz svc_rqst->rq_pages. Sin embargo, es posible obtener un resultado de empalme que solo tenga una p\u00e1gina parcial al final, si (p. ej.) el sistema de archivos devuelve una lectura corta que no cubre toda la p\u00e1gina. nfsd_splice_actor colocar\u00e1 la p\u00e1gina parcial en su matriz rq_pages y retornar\u00e1. Luego, m\u00e1s tarde, cuando se vuelva a llamar a nfsd_splice_actor, el resto de la p\u00e1gina puede terminar llen\u00e1ndose. En este punto, nfsd_splice_actor colocar\u00e1 la p\u00e1gina en array _again_ corrompiendo la respuesta. Si esto se repite varias veces, rq_next_page saturar\u00e1 el array y corromper\u00e1 los campos finales: los punteros rq_respages y rq_next_page. Si ya a\u00f1adimos la p\u00e1gina al array en la \u00faltima pasada, no la a\u00f1adamos una segunda vez al tratar con una continuaci\u00f3n de empalme. Esto se gestionaba correctamente en nfsd_splice_actor, pero el commit 91e23b1c3982 (\"NFSD: Limpiar nfsd_splice_actor()\") elimin\u00f3 la comprobaci\u00f3n."}], "id": "CVE-2023-53083", "lastModified": "2025-11-12T21:08:12.057", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-05-02T16:15:27.310", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/0101067f376eb7b9afd00279270f25d5111a091d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/12eca509234acb6b666802edf77408bb70d7bfca"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/27c934dd8832dd40fd34776f916dc201e18b319b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/51ddb84baff6f09ad62b5999ece3ec172e4e3568"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/8235cd619db6e67f1d7d26c55f1f3e4e575c947d"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2023:2458", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-284.11.1.el9_2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-05-09T00:00:00Z"}, {"advisory": "RHSA-2023:2458", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-284.11.1.el9_2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-05-09T00:00:00Z"}], "bugzilla": {"description": "kernel: nfsd: don't replace page in rq_pages if it's a continuation of last page", "id": "2363709", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2363709"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nnfsd: don't replace page in rq_pages if it's a continuation of last page\nThe splice read calls nfsd_splice_actor to put the pages containing file\ndata into the svc_rqst->rq_pages array. It's possible however to get a\nsplice result that only has a partial page at the end, if (e.g.) the\nfilesystem hands back a short read that doesn't cover the whole page.\nnfsd_splice_actor will plop the partial page into its rq_pages array and\nreturn. Then later, when nfsd_splice_actor is called again, the\nremainder of the page may end up being filled out. At this point,\nnfsd_splice_actor will put the page into the array _again_ corrupting\nthe reply. If this is done enough times, rq_next_page will overrun the\narray and corrupt the trailing fields -- the rq_respages and\nrq_next_page pointers themselves.\nIf we've already added the page to the array in the last pass, don't add\nit to the array a second time when dealing with a splice continuation.\nThis was originally handled properly in nfsd_splice_actor, but commit\n91e23b1c3982 (\"NFSD: Clean up nfsd_splice_actor()\") removed the check\nfor it."], "name": "CVE-2023-53083", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-05-02T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-53083\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53083\nhttps://lore.kernel.org/linux-cve-announce/2025050217-CVE-2023-53083-5b4e@gregkh/T"], "threat_severity": "Moderate"}

{}