LiveActive security incident?Get immediate response
CVE Record

CVE-2023-53445: net: qrtr: Fix a refcount bug in qrtr_recvmsg()

In the Linux kernel, the following vulnerability has been resolved: net: qrtr: Fix a refcount bug in qrtr_recvmsg() Syzbot reported a bug as following: refcount_t: addition on 0; use-after-free. ... RIP: 0010:refcount_warn_saturate+0x17c/0x1f0 lib/refcount.c:25 ... Call Trace: <TASK> __refcount_add include/linux/refcount.h:199 [inline] __refcount_inc include/linux/refcount.h:250 [inline] refcount_inc include/linux/refcount.h:267 [inline] kref_get include/linux/kref.h:45 [inline] qrtr_node_acquire net/qrtr/af_qrtr.c:202 [inline] qrtr_node_lookup net/qrtr/af_qrtr.c:398 [inline] qrtr_send_resume_tx net/qrtr/af_qrtr.c:1003 [inline] qrtr_recvmsg+0x85f/0x990 net/qrtr/af_qrtr.c:1070 sock_recvmsg_nosec net/socket.c:1017 [inline] sock_recvmsg+0xe2/0x160 net/socket.c:1038 qrtr_ns_worker+0x170/0x1700 net/qrtr/ns.c:688 process_one_work+0x991/0x15c0 kernel/workqueue.c:2390 worker_thread+0x669/0x1090 kernel/workqueue.c:2537 It occurs in the concurrent scenario of qrtr_recvmsg() and qrtr_endpoint_unregister() as following: cpu0 cpu1 qrtr_recvmsg qrtr_endpoint_unregister qrtr_send_resume_tx qrtr_node_release qrtr_node_lookup mutex_lock(&qrtr_node_lock) spin_lock_irqsave(&qrtr_nodes_lock, ) refcount_dec_and_test(&node->ref) [node->ref == 0] radix_tree_lookup [node != NULL] __qrtr_node_release qrtr_node_acquire spin_lock_irqsave(&qrtr_nodes_lock, ) kref_get(&node->ref) [WARNING] ... mutex_unlock(&qrtr_node_lock) Use qrtr_node_lock to protect qrtr_node_lookup() implementation, this is actually improving the protection of node reference.

MediumCVSS 5.5Not KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2023-53445 is a Linux kernel bug in the QRTR networking code. A race condition can mishandle a node reference and trigger a use-after-free condition. The published impact is availability only: a local low-privileged attacker could potentially crash or disrupt an affected system.

Executive priority

Patch during the normal security maintenance window, with faster handling for shared Linux systems where local users or workloads are not fully trusted. Current evidence supports moderate availability risk, not confirmed active exploitation.

Technical view

The issue is in qrtr_recvmsg(), where qrtr_node_lookup() could race with qrtr_endpoint_unregister(). The failing path can increment a reference after it reached zero, producing a refcount warning and use-after-free condition. The kernel fix improves locking by using qrtr_node_lock around node lookup.

Likely exposure

Exposure is limited to Linux systems running affected kernel versions with the vulnerable net/qrtr code present. CVSS marks attack vector as local and privileges required as low, so internet-facing remote exposure is not indicated by the provided sources.

Exploitation context

The source bundle reports syzbot discovery and kernel call traces. It does not cite public exploitation, CISA KEV listing, exploit code, or active attacks. Treat exploitation status as unconfirmed, with risk centered on local denial of service.

Researcher notes

The useful root cause is a locking gap around QRTR node lookup during concurrent receive and endpoint unregister paths. The CVE record provides stable kernel commits but no CWE mapping and no public exploitation evidence.

Mitigation direction

  • Update affected Linux kernels through your distribution or vendor channel.
  • Verify the update includes the referenced stable kernel fixes.
  • Prioritize shared, multi-user, and externally managed Linux hosts.
  • Check vendor advisories before applying workarounds not documented upstream.
  • Avoid direct wrangler-style deployment analogies; this is kernel patching only.

Validation and detection

  • Inventory running kernel versions across Linux hosts.
  • Map installed packages to CVE-2023-53445 or the stable commit IDs.
  • Review whether net/qrtr code is enabled on in-scope systems.
  • Confirm patched hosts rebooted into the updated kernel.
  • Monitor kernel logs for refcount or QRTR-related warnings.
Prepared
Confidence
high
Sources
7

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2023-53445 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
5.5 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
3Timeline events
1ADP providers
6Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
5.5CVSS 3.1MediumCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H1.83.6CISA-ADP

Vulnerability scoring details

Base CVSS 3.1 score

5.5Medium
CVSS 3.1 vector shape for CVE-2023-53445Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
cvssV3_1other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux0a7e0d0ef05440db03c3199e84d228db943b237f, 0a7e0d0ef05440db03c3199e84d228db943b237f, 0a7e0d0ef05440db03c3199e84d228db943b237f, 0a7e0d0ef05440db03c3199e84d228db943b237f, 0a7e0d0ef05440db03c3199e84d228db943b237funaffected
LinuxLinux5.6, 0, 5.10.178, 5.15.107, 6.1.24, 6.2.11, 6.3affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.