CVE-2023-34324: Possible deadlock in Linux kernel event handling
First published: Tue Oct 10 2023(Updated: )
Closing of an event channel in the Linux kernel can result in a deadlock. This happens when the close is being performed in parallel to an unrelated Xen console action and the handling of a Xen console interrupt in an unprivileged guest. The closing of an event channel is e.g. triggered by removal of a paravirtual device on the other side. As this action will cause console messages to be issued on the other side quite often, the chance of triggering the deadlock is not neglectable. Note that 32-bit Arm-guests are not affected, as the 32-bit Linux kernel on Arm doesn't use queued-RW-locks, which are required to trigger the issue (on Arm32 a waiting writer doesn't block further readers to get the lock).
Credit: security@xen.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/linux | 5.10.223-1 5.10.226-1 6.1.123-1 6.1.128-1 6.12.12-1 6.12.13-1 | |
| Linux kernel | <5.10 | |
| Xen xen-unstable |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://xenbits.xenproject.org/xsa/advisory-441.html
- https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html
- https://lists.debian.org/debian-lts-announce/2024/01/msg00005.html
- https://launchpad.net/bugs/cve/CVE-2023-34324
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34324
- https://nvd.nist.gov/vuln/detail/CVE-2023-34324
- https://security-tracker.debian.org/tracker/CVE-2023-34324
- https://ubuntu.com/security/CVE-2023-34324
- https://xenbits.xen.org/xsa/advisory-441.html
- https://git.kernel.org/linus/87797fad6cce28ec9be3c13f031776ff4f104cfc
Frequently Asked Questions
What is the severity of CVE-2023-34324?
CVE-2023-34324 is classified as a medium severity vulnerability due to potential deadlock scenarios in the Linux kernel.
How do I fix CVE-2023-34324?
To mitigate CVE-2023-34324, upgrade to a fixed version of the Linux kernel listed, such as 5.10.223-1 or 6.12.12-1.
Which systems are affected by CVE-2023-34324?
CVE-2023-34324 affects the Linux kernel versions up to 5.10 and the Xen hypervisor.
Is CVE-2023-34324 exploitable remotely?
CVE-2023-34324 does not appear to be directly exploitable remotely as it involves deadlock situations in an unprivileged guest context.
What causes the deadlock in CVE-2023-34324?
The deadlock in CVE-2023-34324 occurs when closing an event channel in parallel with an unrelated Xen console action.
- collector/oss-sec
- alias/CVE-2023-34324
- agent/type
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/author
- agent/title
- agent/weakness
- collector/launchpad-cve
- source/Launchpad
- collector/usn-cve
- source/Ubuntu
- agent/remedy
- agent/last-modified-date
- agent/references
- agent/description
- agent/event
- agent/trending
- agent/source
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-cve
- agent/tags
- agent/softwarecombine
- collector/security-tracker-debian
- source/Debian
- vendor/linux
- canonical/linux kernel
- vendor/xen
- canonical/xen xen-unstable
- package-manager/debian