CVE-2023-53445: net: qrtr: Fix a refcount bug in qrtr_recvmsg()
In the Linux kernel, the following vulnerability has been resolved:
net: qrtr: Fix a refcount bug in qrtr_recvmsg()
Syzbot reported a bug as following:
refcount_t: addition on 0; use-after-free.
...
RIP: 0010:refcount_warn_saturate+0x17c/0x1f0 lib/refcount.c:25
...
Call Trace:
<TASK>
__refcount_add include/linux/refcount.h:199 [inline]
__refcount_inc include/linux/refcount.h:250 [inline]
refcount_inc include/linux/refcount.h:267 [inline]
kref_get include/linux/kref.h:45 [inline]
qrtr_node_acquire net/qrtr/af_qrtr.c:202 [inline]
qrtr_node_lookup net/qrtr/af_qrtr.c:398 [inline]
qrtr_send_resume_tx net/qrtr/af_qrtr.c:1003 [inline]
qrtr_recvmsg+0x85f/0x990 net/qrtr/af_qrtr.c:1070
sock_recvmsg_nosec net/socket.c:1017 [inline]
sock_recvmsg+0xe2/0x160 net/socket.c:1038
qrtr_ns_worker+0x170/0x1700 net/qrtr/ns.c:688
process_one_work+0x991/0x15c0 kernel/workqueue.c:2390
worker_thread+0x669/0x1090 kernel/workqueue.c:2537
It occurs in the concurrent scenario of qrtr_recvmsg() and
qrtr_endpoint_unregister() as following:
cpu0 cpu1
qrtr_recvmsg qrtr_endpoint_unregister
qrtr_send_resume_tx qrtr_node_release
qrtr_node_lookup mutex_lock(&qrtr_node_lock)
spin_lock_irqsave(&qrtr_nodes_lock, ) refcount_dec_and_test(&node->ref) [node->ref == 0]
radix_tree_lookup [node != NULL] __qrtr_node_release
qrtr_node_acquire spin_lock_irqsave(&qrtr_nodes_lock, )
kref_get(&node->ref) [WARNING] ...
mutex_unlock(&qrtr_node_lock)
Use qrtr_node_lock to protect qrtr_node_lookup() implementation, this
is actually improving the protection of node reference.
Security readout for executives and security teams
Plain-English summary
CVE-2023-53445 is a Linux kernel bug in the QRTR networking code. A race condition can mishandle a node reference and trigger a use-after-free condition. The published impact is availability only: a local low-privileged attacker could potentially crash or disrupt an affected system.
Executive priority
Patch during the normal security maintenance window, with faster handling for shared Linux systems where local users or workloads are not fully trusted. Current evidence supports moderate availability risk, not confirmed active exploitation.
Technical view
The issue is in qrtr_recvmsg(), where qrtr_node_lookup() could race with qrtr_endpoint_unregister(). The failing path can increment a reference after it reached zero, producing a refcount warning and use-after-free condition. The kernel fix improves locking by using qrtr_node_lock around node lookup.
Likely exposure
Exposure is limited to Linux systems running affected kernel versions with the vulnerable net/qrtr code present. CVSS marks attack vector as local and privileges required as low, so internet-facing remote exposure is not indicated by the provided sources.
Exploitation context
The source bundle reports syzbot discovery and kernel call traces. It does not cite public exploitation, CISA KEV listing, exploit code, or active attacks. Treat exploitation status as unconfirmed, with risk centered on local denial of service.
Researcher notes
The useful root cause is a locking gap around QRTR node lookup during concurrent receive and endpoint unregister paths. The CVE record provides stable kernel commits but no CWE mapping and no public exploitation evidence.
Mitigation direction
Update affected Linux kernels through your distribution or vendor channel.
Verify the update includes the referenced stable kernel fixes.
Prioritize shared, multi-user, and externally managed Linux hosts.
Check vendor advisories before applying workarounds not documented upstream.
Avoid direct wrangler-style deployment analogies; this is kernel patching only.
Validation and detection
Inventory running kernel versions across Linux hosts.
Map installed packages to CVE-2023-53445 or the stable commit IDs.
Review whether net/qrtr code is enabled on in-scope systems.
Confirm patched hosts rebooted into the updated kernel.
Monitor kernel logs for refcount or QRTR-related warnings.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2023-53445 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.