CVE-2023-52851
📋 TL;DR
This CVE describes a double-free vulnerability in the Linux kernel's mlx5 InfiniBand driver that occurs during initialization error handling. When workqueue allocation fails, the cleanup code attempts to free the same QP (Queue Pair) twice, leading to use-after-free conditions. This affects systems using Mellanox InfiniBand hardware with vulnerable kernel versions.
💻 Affected Systems
- Linux kernel mlx5 InfiniBand driver
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic, system crash, or potential privilege escalation leading to full system compromise through memory corruption.
Likely Case
System instability, kernel crashes, or denial of service when initializing mlx5 InfiniBand devices.
If Mitigated
No impact if the vulnerable code path isn't triggered during device initialization.
🎯 Exploit Status
Exploitation requires local access and ability to trigger the workqueue allocation failure path. Found via syzkaller fuzzing.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions with commits 2ef422f063b74adcc4a4a9004b0a87bb55e0a836 or later
Vendor Advisory: https://git.kernel.org/stable/c/2ef422f063b74adcc4a4a9004b0a87bb55e0a836
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version. 2. Reboot system. 3. Verify mlx5 driver loads without errors in dmesg.
🔧 Temporary Workarounds
Disable mlx5 InfiniBand driver
linuxPrevent loading of vulnerable driver module
echo 'blacklist mlx5_ib' >> /etc/modprobe.d/blacklist.conf
rmmod mlx5_ib
🧯 If You Can't Patch
- Avoid using Mellanox InfiniBand hardware on vulnerable systems
- Monitor kernel logs for workqueue allocation failures and mlx5 initialization errors
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if mlx5_ib module is loaded: lsmod | grep mlx5_ib && uname -rCheck Version:
uname -rVerify Fix Applied:
Check if kernel includes fix commit: git log --oneline | grep -i '2ef422f063b74adcc4a4a9004b0a87bb55e0a836' or check kernel version against patched releases📡 Detection & Monitoring
Log Indicators:
- Failed to create work queue
- mr cache init failed
- KASAN: slab-use-after-free in ib_destroy_qp_user
- mlx5_mkey_cache_init failed
Network Indicators:
- InfiniBand connection failures during initialization
SIEM Query:
source="kernel" AND ("mlx5_mkey_cache_init" OR "ib_destroy_qp_user" OR "UAF" OR "double free")🔗 References
- https://git.kernel.org/stable/c/2ef422f063b74adcc4a4a9004b0a87bb55e0a836
- https://git.kernel.org/stable/c/437f033e30c897bb3723eac9e9003cd9f88d00a3
- https://git.kernel.org/stable/c/4f4a7a7d1404297f2a92df0046f7e64dc5c52dd9
- https://git.kernel.org/stable/c/6387f269d84e6e149499408c4d1fc805017729b2
- https://git.kernel.org/stable/c/2ef422f063b74adcc4a4a9004b0a87bb55e0a836
- https://git.kernel.org/stable/c/437f033e30c897bb3723eac9e9003cd9f88d00a3
- https://git.kernel.org/stable/c/4f4a7a7d1404297f2a92df0046f7e64dc5c52dd9
- https://git.kernel.org/stable/c/6387f269d84e6e149499408c4d1fc805017729b2
