CVE-2023-53075: ftrace: Fix invalid address access in lookup_rec() when index is 0
In the Linux kernel, the following vulnerability has been resolved:
ftrace: Fix invalid address access in lookup_rec() when index is 0
KASAN reported follow problem:
BUG: KASAN: use-after-free in lookup_rec
Read of size 8 at addr ffff000199270ff0 by task modprobe
CPU: 2 Comm: modprobe
Call trace:
kasan_report
__asan_load8
lookup_rec
ftrace_location
arch_check_ftrace_location
check_kprobe_address_safe
register_kprobe
When checking pg->records[pg->index - 1].ip in lookup_rec(), it can get a
pg which is newly added to ftrace_pages_start in ftrace_process_locs().
Before the first pg->index++, index is 0 and accessing pg->records[-1].ip
will cause this problem.
Don't check the ip when pg->index is 0.
Security readout for executives and security teams
Plain-English summary
CVE-2023-53075 is a Linux kernel memory safety bug in ftrace, a kernel tracing component. Under a specific index-zero condition, the kernel can read before an allocated records array. Public sources describe a KASAN-detected use-after-free, not confirmed real-world exploitation.
Executive priority
Treat as a routine but important Linux kernel maintenance item. There is no public evidence of exploitation, but kernel memory bugs can affect system stability and security boundaries. Patch through normal kernel update cycles, faster for multi-user or high-assurance systems.
Technical view
In lookup_rec(), ftrace checked pg->records[pg->index - 1].ip even when pg->index was 0, causing access to records[-1]. The reported trace involves modprobe, ftrace_location, arch_check_ftrace_location, check_kprobe_address_safe, and register_kprobe. The fix avoids the IP check when index is 0.
Likely exposure
Exposure is Linux systems running affected kernel versions identified by the CVE data, including listed 4.14.311, 4.19.279, 5.4.238, 5.10.176, 5.15.104, 6.1.21, 6.2.8, and 6.3 lines. Distribution backports may change status.
Exploitation context
The source bundle does not show CISA KEV listing or active exploitation. The known trigger context is kernel tracing and kprobe registration paths, observed by KASAN during modprobe activity. Public data does not establish remote exploitability or practical exploitation requirements.
Researcher notes
The available record lacks CVSS, CWE, and exploitability detail. Analysis should focus on the ftrace lookup_rec boundary condition and affected branch mapping. Avoid assuming privilege escalation or remote attack without additional vendor or upstream evidence.
Mitigation direction
Update to a vendor-supported kernel containing the referenced stable ftrace fixes.
Use distribution advisories to confirm whether fixes were backported to your kernel build.
Prioritize shared Linux systems and hosts where kernel tracing or kprobes are used.
If no vendor package exists, track the cited upstream stable commits.
Validation and detection
Inventory Linux kernel versions across servers, endpoints, containers hosts, and appliances.
Compare installed kernel builds against distribution advisories for CVE-2023-53075.
Check whether your kernel includes the cited stable commit for its branch.
Review kernel logs for KASAN or ftrace lookup_rec warnings, if KASAN kernels are used.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2023-53075 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
9Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
May 2, 2025, 15:55 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.