CVE-2023-53645 – This CVE-2023-53645 is a use-after-free vulnera... (How to Fix)

Q: What is the severity of CVE-2023-53645?

CVE-2023-53645 has a CVSS score of 7.8 (HIGH). This CVE-2023-53645 is a use-after-free vulnerability in the Linux kernel's BPF subsystem where bpf_refcount_acquire could increment a zero refcount on freed memory when called on non-owning references after certain operations fail. This affects systems running vulnerable Linux kernel versions with BPF programs that use refcount operations. Attackers could potentially exploit this to cause kernel crashes or achieve local privilege escalation.

📋 TL;DR

This CVE-2023-53645 is a use-after-free vulnerability in the Linux kernel's BPF subsystem where bpf_refcount_acquire could increment a zero refcount on freed memory when called on non-owning references after certain operations fail. This affects systems running vulnerable Linux kernel versions with BPF programs that use refcount operations. Attackers could potentially exploit this to cause kernel crashes or achieve local privilege escalation.

💻 Affected Systems

Products:

Linux Kernel

Versions: Kernel versions containing the vulnerable BPF refcount implementation up to the fix. Specifically affects versions where the bpf_refcount feature was introduced up to the patched versions.

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Requires CONFIG_BPF_SYSCALL=y and BPF programs using refcount operations. Not all systems may have BPF enabled or use the affected refcount functionality.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash, or potential local privilege escalation allowing attackers to gain root access on the affected system.

🟠

Likely Case

Kernel crash or system instability when BPF programs trigger the specific failure path, resulting in denial of service.

🟢

If Mitigated

No impact if the vulnerable code path is not executed by BPF programs or if proper kernel hardening is in place.

🌐 Internet-Facing: LOW - This is a local kernel vulnerability requiring local access or ability to execute BPF programs.

🏢 Internal Only: MEDIUM - Internal users with ability to load BPF programs could potentially exploit this for privilege escalation or DoS attacks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: HIGH - Requires understanding of BPF programming and kernel internals to craft malicious BPF programs that trigger the vulnerable code path.

Exploitation requires ability to load BPF programs, which typically requires CAP_BPF or root privileges on most systems.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in kernel commits 7793fc3babe9fea908e57f7c187ea819f9fd7e95 and d906d1b940b9dbf0a3e821d6b32a51c369273d91

Vendor Advisory: https://git.kernel.org/stable/c/7793fc3babe9fea908e57f7c187ea819f9fd7e95

Restart Required: Yes

Instructions:

1. Update to a kernel version containing the fix. 2. Check your distribution's security advisories for specific patched kernel versions. 3. Reboot the system after kernel update.

🔧 Temporary Workarounds

Disable BPF subsystem

linux

Disable the BPF subsystem to prevent loading of BPF programs that could trigger the vulnerability

echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled
sysctl -w kernel.unprivileged_bpf_disabled=1

Restrict BPF program loading

linux

Use capabilities or SELinux/AppArmor to restrict which users can load BPF programs

setcap -r /usr/bin/bpftool
Use appropriate SELinux/AppArmor policies

🧯 If You Can't Patch

Implement strict access controls to prevent unauthorized users from loading BPF programs
Monitor for suspicious BPF program loading and kernel warning messages related to refcount operations

🔍 How to Verify

Check if Vulnerable:

Check kernel version and verify if BPF refcount operations are used in your environment. Look for kernel warning messages containing 'refcount_t: addition on 0; use-after-free' in dmesg or system logs.

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is updated to a version containing the fix commits. Check that bpf_refcount_acquire properly handles NULL returns for non-owning references in BPF programs.

📡 Detection & Monitoring

Log Indicators:

Kernel warning messages containing 'refcount_t: addition on 0; use-after-free'
BPF program loading events from unauthorized users
System crashes or kernel panics

Network Indicators:

Not applicable - this is a local kernel vulnerability

SIEM Query:

source="kernel" AND "refcount_t: addition on 0; use-after-free" OR source="audit" AND "BPF" AND "prog_load"

📊 Metadata

CVE ID: CVE-2023-53645

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

EPSS Score: 0.03% exploit probability (6.3th percentile)

Published: October 7, 2025

Last Updated: February 3, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-53645, you might also want to check these: