CVE-2023-54088: blk-cgroup: hold queue_lock when removing blkg->q_node
In the Linux kernel, the following vulnerability has been resolved:
blk-cgroup: hold queue_lock when removing blkg->q_node
When blkg is removed from q->blkg_list from blkg_free_workfn(), queue_lock
has to be held, otherwise, all kinds of bugs(list corruption, hard lockup,
..) can be triggered from blkg_destroy_all().
This is a Linux kernel concurrency bug in block cgroup cleanup. Missing locking can corrupt an internal list or cause hard lockups during block cgroup destruction. The public record does not provide a CVSS score, confirmed exploit activity, or detailed real-world impact evidence.
Executive priority
Treat this as a stability and availability risk until vendor severity is clearer. Prioritize kernel patching where Linux hosts support production workloads, containers, or multi-tenant resource controls, but do not classify it as actively exploited from the provided evidence.
Technical view
The fix holds queue_lock while removing blkg->q_node from q->blkg_list in blk-cgroup cleanup. Without the lock, blkg_destroy_all() may race with blkg_free_workfn(), causing list corruption or hard lockup conditions inside the kernel block cgroup path.
Likely exposure
Exposure is limited to Linux systems running affected kernel builds identified in the CVE record. The bundle names Linux kernel version markers including 6.1.17, 6.2.4, 6.3, 6.4.12, and 6.5; distro backports require vendor confirmation.
Exploitation context
The bundle does not cite active exploitation, KEV listing, exploit code, or a remote attack path. The described failure mode is kernel instability during block cgroup cleanup, which may matter most on systems using cgroups for workload isolation or resource control.
Researcher notes
Evidence is sparse: no CVSS, CWE, exploit status, or distro-specific package mapping is included. Analysis should focus on the lockless q->blkg_list removal race and whether local workloads can trigger block cgroup destruction paths in affected kernels.
Mitigation direction
Apply Linux kernel stable updates containing the referenced upstream fixes.
Check distribution advisories for backported kernel packages covering CVE-2023-54088.
Prioritize shared, container, and workload-isolation hosts using cgroups.
Plan required kernel update reboots through normal change windows.
Track unsupported or custom kernels separately for manual patch confirmation.
Validation and detection
Inventory running kernel versions across Linux hosts.
Compare kernels against distro advisories and the CVE affected version data.
Confirm the applied kernel includes one of the referenced stable fixes or an equivalent backport.
Review kernel logs for list corruption, hard lockups, or block cgroup cleanup crashes.
Verify container or cgroup-heavy platforms receive the patched kernel after reboot.
Based on public source material and reviewed before publication.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2023-54088 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
5Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Dec 24, 2025, 13:06 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.