CVE-2023-54274 - Vulnerability Details

- RDMA/srpt: Add a check for valid 'mad_agent' pointer

Description

In the Linux kernel, the following vulnerability has been resolved:

RDMA/srpt: Add a check for valid 'mad_agent' pointer

When unregistering MAD agent, srpt module has a non-null check
for 'mad_agent' pointer before invoking ib_unregister_mad_agent().
This check can pass if 'mad_agent' variable holds an error value.
The 'mad_agent' can have an error value for a short window when
srpt_add_one() and srpt_remove_one() is executed simultaneously.

In srpt module, added a valid pointer check for 'sport->mad_agent'
before unregistering MAD agent.

This issue can hit when RoCE driver unregisters ib_device

Stack Trace:
------------
BUG: kernel NULL pointer dereference, address: 000000000000004d
PGD 145003067 P4D 145003067 PUD 2324fe067 PMD 0
Oops: 0002 [#1] PREEMPT SMP NOPTI
CPU: 10 PID: 4459 Comm: kworker/u80:0 Kdump: loaded Tainted: P
Hardware name: Dell Inc. PowerEdge R640/06NR82, BIOS 2.5.4 01/13/2020
Workqueue: bnxt_re bnxt_re_task [bnxt_re]
RIP: 0010:_raw_spin_lock_irqsave+0x19/0x40
Call Trace:
ib_unregister_mad_agent+0x46/0x2f0 [ib_core]
IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
? __schedule+0x20b/0x560
srpt_unregister_mad_agent+0x93/0xd0 [ib_srpt]
srpt_remove_one+0x20/0x150 [ib_srpt]
remove_client_context+0x88/0xd0 [ib_core]
bond0: (slave p2p1): link status definitely up, 100000 Mbps full duplex
disable_device+0x8a/0x160 [ib_core]
bond0: active interface up!
? kernfs_name_hash+0x12/0x80
(NULL device *): Bonding Info Received: rdev: 000000006c0b8247
__ib_unregister_device+0x42/0xb0 [ib_core]
(NULL device *): Master: mode: 4 num_slaves:2
ib_unregister_device+0x22/0x30 [ib_core]
(NULL device *): Slave: id: 105069936 name:p2p1 link:0 state:0
bnxt_re_stopqps_and_ib_uninit+0x83/0x90 [bnxt_re]
bnxt_re_alloc_lag+0x12e/0x4e0 [bnxt_re]

Published: 2025-12-30

Score: 7.0 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`a42d985bd5b234da8b61347a78dc3057bf7bb94d`	affected	< 8ec6acdb9b6a80eeb13e778dfedb5d72a88f14fe
`a42d985bd5b234da8b61347a78dc3057bf7bb94d`	affected	< 00cc21e32ea1b8ebbabf5d645da9378d986bf8ba
`a42d985bd5b234da8b61347a78dc3057bf7bb94d`	affected	< 4323aaedeba32076e652aad056afd7885bb96bb7
`a42d985bd5b234da8b61347a78dc3057bf7bb94d`	affected	< 5f6ef2a574b0e0e0ea46ed0022575442df9d0bf9
`a42d985bd5b234da8b61347a78dc3057bf7bb94d`	affected	< b713623bfef8cb1df9c769a3887fa10db63d1c54
`a42d985bd5b234da8b61347a78dc3057bf7bb94d`	affected	< eca5cd9474cd26d62f9756f536e2e656d3f62f3a

Linux

affected

Version	Status	Constraints
`3.3`	affected	—
`0`	unaffected	< 3.3
`5.10.180`	unaffected	≤ 5.10.*
`5.15.111`	unaffected	≤ 5.15.*
`6.1.28`	unaffected	≤ 6.1.*
`6.2.15`	unaffected	≤ 6.2.*
`6.3.2`	unaffected	≤ 6.3.*
`6.4`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00047.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/00cc21e32ea1b8ebbabf5d645da9378d986bf8ba
https://git.kernel.org/stable/c/4323aaedeba32076e652aad056afd7885bb96bb7
https://git.kernel.org/stable/c/5f6ef2a574b0e0e0ea46ed0022575442df9d0bf9
https://git.kernel.org/stable/c/8ec6acdb9b6a80eeb13e778dfedb5d72a88f14fe
https://git.kernel.org/stable/c/b713623bfef8cb1df9c769a3887fa10db63d1c54
https://git.kernel.org/stable/c/eca5cd9474cd26d62f9756f536e2e656d3f62f3a
https://lore.kernel.org/linux-cve-announce/2025123002-CVE-2023-54274-79a7@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2023-54274
https://www.cve.org/CVERecord?id=CVE-2023-54274

History

Thu, 01 Jan 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2025123002-CVE-2023-54274-79a7@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2023-54274 https://www.cve.org/CVERecord?id=CVE-2023-54274
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Tue, 30 Dec 2025 12:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: RDMA/srpt: Add a check for valid 'mad_agent' pointer When unregistering MAD agent, srpt module has a non-null check for 'mad_agent' pointer before invoking ib_unregister_mad_agent(). This check can pass if 'mad_agent' variable holds an error value. The 'mad_agent' can have an error value for a short window when srpt_add_one() and srpt_remove_one() is executed simultaneously. In srpt module, added a valid pointer check for 'sport->mad_agent' before unregistering MAD agent. This issue can hit when RoCE driver unregisters ib_device Stack Trace: ------------ BUG: kernel NULL pointer dereference, address: 000000000000004d PGD 145003067 P4D 145003067 PUD 2324fe067 PMD 0 Oops: 0002 [#1] PREEMPT SMP NOPTI CPU: 10 PID: 4459 Comm: kworker/u80:0 Kdump: loaded Tainted: P Hardware name: Dell Inc. PowerEdge R640/06NR82, BIOS 2.5.4 01/13/2020 Workqueue: bnxt_re bnxt_re_task [bnxt_re] RIP: 0010:_raw_spin_lock_irqsave+0x19/0x40 Call Trace: ib_unregister_mad_agent+0x46/0x2f0 [ib_core] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready ? __schedule+0x20b/0x560 srpt_unregister_mad_agent+0x93/0xd0 [ib_srpt] srpt_remove_one+0x20/0x150 [ib_srpt] remove_client_context+0x88/0xd0 [ib_core] bond0: (slave p2p1): link status definitely up, 100000 Mbps full duplex disable_device+0x8a/0x160 [ib_core] bond0: active interface up! ? kernfs_name_hash+0x12/0x80 (NULL device ): Bonding Info Received: rdev: 000000006c0b8247 __ib_unregister_device+0x42/0xb0 [ib_core] (NULL device ): Master: mode: 4 num_slaves:2 ib_unregister_device+0x22/0x30 [ib_core] (NULL device *): Slave: id: 105069936 name:p2p1 link:0 state:0 bnxt_re_stopqps_and_ib_uninit+0x83/0x90 [bnxt_re] bnxt_re_alloc_lag+0x12e/0x4e0 [bnxt_re]
Title		RDMA/srpt: Add a check for valid 'mad_agent' pointer
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/00cc21e32ea1b8ebbabf5d645da9378d986bf8ba https://git.kernel.org/stable/c/4323aaedeba32076e652aad056afd7885bb96bb7 https://git.kernel.org/stable/c/5f6ef2a574b0e0e0ea46ed0022575442df9d0bf9 https://git.kernel.org/stable/c/8ec6acdb9b6a80eeb13e778dfedb5d72a88f14fe https://git.kernel.org/stable/c/b713623bfef8cb1df9c769a3887fa10db63d1c54 https://git.kernel.org/stable/c/eca5cd9474cd26d62f9756f536e2e656d3f62f3a

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-12-30T12:16:03.696Z

Updated: 2026-05-11T19:58:48.284Z

Reserved: 2025-12-30T12:06:44.523Z

Link: CVE-2023-54274

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2025-12-30T13:16:16.327

Modified: 2026-04-15T00:35:42.020

Link: CVE-2023-54274

Redhat

Severity : Moderate

Publid Date: 2025-12-30T00:00:00Z

Links: CVE-2023-54274 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

No weakness.

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object