4.7
MEDIUM
CVE-2023-52609
Qualcomm Binder mmput() Race Condition Remote Denial of Service
Description

In the Linux kernel, the following vulnerability has been resolved: binder: fix race between mmput() and do_exit() Task A calls binder_update_page_range() to allocate and insert pages on a remote address space from Task B. For this, Task A pins the remote mm via mmget_not_zero() first. This can race with Task B do_exit() and the final mmput() refcount decrement will come from Task A. Task A | Task B ------------------+------------------ mmget_not_zero() | | do_exit() | exit_mm() | mmput() mmput() | exit_mmap() | remove_vma() | fput() | In this case, the work of ____fput() from Task B is queued up in Task A as TWA_RESUME. So in theory, Task A returns to userspace and the cleanup work gets executed. However, Task A instead sleep, waiting for a reply from Task B that never comes (it's dead). This means the binder_deferred_release() is blocked until an unrelated binder event forces Task A to go back to userspace. All the associated death notifications will also be delayed until then. In order to fix this use mmput_async() that will schedule the work in the corresponding mm->async_put_work WQ instead of Task A.

INFO

Published Date :

March 18, 2024, 11:15 a.m.

Last Modified :

March 10, 2025, 3:10 p.m.

Source :

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Remotely Exploitable :

No

Impact Score :

3.6

Exploitability Score :

1.0
Public PoC/Exploit Available at Github

CVE-2023-52609 has a 1 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

Affected Products

The following products are affected by CVE-2023-52609 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Linux linux_kernel
1 Debian debian_linux
: Total Affected Vendor : 2 | Products : 2
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2023-52609.

URL Resource
https://git.kernel.org/stable/c/252a2a5569eb9f8d16428872cc24dea1ac0bb097 Mailing List Patch
https://git.kernel.org/stable/c/6696f76c32ff67fec26823fc2df46498e70d9bf3 Mailing List Patch
https://git.kernel.org/stable/c/67f16bf2cc1698fd50e01ee8a2becc5a8e6d3a3e Mailing List Patch
https://git.kernel.org/stable/c/77d210e8db4d61d43b2d16df66b1ec46fad2ee01 Mailing List Patch
https://git.kernel.org/stable/c/7e7a0d86542b0ea903006d3f42f33c4f7ead6918 Mailing List Patch
https://git.kernel.org/stable/c/95b1d336b0642198b56836b89908d07b9a0c9608 Mailing List Patch
https://git.kernel.org/stable/c/98fee5bee97ad47b527a997d5786410430d1f0e9 Mailing List Patch
https://git.kernel.org/stable/c/9a9ab0d963621d9d12199df9817e66982582d5a5 Mailing List Patch
https://git.kernel.org/stable/c/252a2a5569eb9f8d16428872cc24dea1ac0bb097 Mailing List Patch
https://git.kernel.org/stable/c/6696f76c32ff67fec26823fc2df46498e70d9bf3 Mailing List Patch
https://git.kernel.org/stable/c/67f16bf2cc1698fd50e01ee8a2becc5a8e6d3a3e Mailing List Patch
https://git.kernel.org/stable/c/77d210e8db4d61d43b2d16df66b1ec46fad2ee01 Mailing List Patch
https://git.kernel.org/stable/c/7e7a0d86542b0ea903006d3f42f33c4f7ead6918 Mailing List Patch
https://git.kernel.org/stable/c/95b1d336b0642198b56836b89908d07b9a0c9608 Mailing List Patch
https://git.kernel.org/stable/c/98fee5bee97ad47b527a997d5786410430d1f0e9 Mailing List Patch
https://git.kernel.org/stable/c/9a9ab0d963621d9d12199df9817e66982582d5a5 Mailing List Patch
https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html Mailing List
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html Mailing List

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Profile Photo
NaInSec/CVE-LIST

Ini adalah repository kumpulan CVE v.5

allcve cve cvelist newcve

Updated: 7 months, 4 weeks ago
2 stars 0 fork 0 watcher
Born at : March 24, 2024, 3:01 p.m. This repo has been linked 1214 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2023-52609 vulnerability anywhere in the article.

The following table lists the changes that have been made to the CVE-2023-52609 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Initial Analysis by [email protected]

    Mar. 10, 2025

    Action Type Old Value New Value
    Added CVSS V3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
    Added CWE CWE-362
    Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16 from (excluding) 6.1.75 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.2 from (excluding) 6.6.14 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.7 from (excluding) 6.7.2 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.20 from (excluding) 5.4.268 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11 from (excluding) 5.15.148 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.5 from (excluding) 5.10.209 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 2.6.29 from (excluding) 4.19.306
    Added CPE Configuration OR *cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
    Added Reference Type CVE: https://git.kernel.org/stable/c/252a2a5569eb9f8d16428872cc24dea1ac0bb097 Types: Mailing List, Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/252a2a5569eb9f8d16428872cc24dea1ac0bb097 Types: Mailing List, Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/6696f76c32ff67fec26823fc2df46498e70d9bf3 Types: Mailing List, Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/6696f76c32ff67fec26823fc2df46498e70d9bf3 Types: Mailing List, Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/67f16bf2cc1698fd50e01ee8a2becc5a8e6d3a3e Types: Mailing List, Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/67f16bf2cc1698fd50e01ee8a2becc5a8e6d3a3e Types: Mailing List, Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/77d210e8db4d61d43b2d16df66b1ec46fad2ee01 Types: Mailing List, Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/77d210e8db4d61d43b2d16df66b1ec46fad2ee01 Types: Mailing List, Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/7e7a0d86542b0ea903006d3f42f33c4f7ead6918 Types: Mailing List, Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/7e7a0d86542b0ea903006d3f42f33c4f7ead6918 Types: Mailing List, Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/95b1d336b0642198b56836b89908d07b9a0c9608 Types: Mailing List, Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/95b1d336b0642198b56836b89908d07b9a0c9608 Types: Mailing List, Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/98fee5bee97ad47b527a997d5786410430d1f0e9 Types: Mailing List, Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/98fee5bee97ad47b527a997d5786410430d1f0e9 Types: Mailing List, Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/9a9ab0d963621d9d12199df9817e66982582d5a5 Types: Mailing List, Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/9a9ab0d963621d9d12199df9817e66982582d5a5 Types: Mailing List, Patch
    Added Reference Type CVE: https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html Types: Mailing List
    Added Reference Type CVE: https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html Types: Mailing List
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Nov. 21, 2024

    Action Type Old Value New Value
    Added Reference https://git.kernel.org/stable/c/252a2a5569eb9f8d16428872cc24dea1ac0bb097
    Added Reference https://git.kernel.org/stable/c/6696f76c32ff67fec26823fc2df46498e70d9bf3
    Added Reference https://git.kernel.org/stable/c/67f16bf2cc1698fd50e01ee8a2becc5a8e6d3a3e
    Added Reference https://git.kernel.org/stable/c/77d210e8db4d61d43b2d16df66b1ec46fad2ee01
    Added Reference https://git.kernel.org/stable/c/7e7a0d86542b0ea903006d3f42f33c4f7ead6918
    Added Reference https://git.kernel.org/stable/c/95b1d336b0642198b56836b89908d07b9a0c9608
    Added Reference https://git.kernel.org/stable/c/98fee5bee97ad47b527a997d5786410430d1f0e9
    Added Reference https://git.kernel.org/stable/c/9a9ab0d963621d9d12199df9817e66982582d5a5
    Added Reference https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html
    Added Reference https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Nov. 04, 2024

    Action Type Old Value New Value
    Removed Reference kernel.org https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html
    Removed Reference kernel.org https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Jun. 27, 2024

    Action Type Old Value New Value
    Added Reference kernel.org https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html [No types assigned]
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Jun. 25, 2024

    Action Type Old Value New Value
    Added Reference kernel.org https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html [No types assigned]
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    May. 29, 2024

    Action Type Old Value New Value
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    May. 14, 2024

    Action Type Old Value New Value
  • CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Mar. 18, 2024

    Action Type Old Value New Value
    Added Description In the Linux kernel, the following vulnerability has been resolved: binder: fix race between mmput() and do_exit() Task A calls binder_update_page_range() to allocate and insert pages on a remote address space from Task B. For this, Task A pins the remote mm via mmget_not_zero() first. This can race with Task B do_exit() and the final mmput() refcount decrement will come from Task A. Task A | Task B ------------------+------------------ mmget_not_zero() | | do_exit() | exit_mm() | mmput() mmput() | exit_mmap() | remove_vma() | fput() | In this case, the work of ____fput() from Task B is queued up in Task A as TWA_RESUME. So in theory, Task A returns to userspace and the cleanup work gets executed. However, Task A instead sleep, waiting for a reply from Task B that never comes (it's dead). This means the binder_deferred_release() is blocked until an unrelated binder event forces Task A to go back to userspace. All the associated death notifications will also be delayed until then. In order to fix this use mmput_async() that will schedule the work in the corresponding mm->async_put_work WQ instead of Task A.
    Added Reference kernel.org https://git.kernel.org/stable/c/95b1d336b0642198b56836b89908d07b9a0c9608 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/252a2a5569eb9f8d16428872cc24dea1ac0bb097 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/7e7a0d86542b0ea903006d3f42f33c4f7ead6918 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/98fee5bee97ad47b527a997d5786410430d1f0e9 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/6696f76c32ff67fec26823fc2df46498e70d9bf3 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/67f16bf2cc1698fd50e01ee8a2becc5a8e6d3a3e [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/77d210e8db4d61d43b2d16df66b1ec46fad2ee01 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/9a9ab0d963621d9d12199df9817e66982582d5a5 [No types assigned]
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2023-52609 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2023-52609 weaknesses.

CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
: