What is CVE-2023-53777?

CVE-2023-53777 is a unscored severity Linux kernel vulnerability, affecting Linux kernel versions from 6.0 onward and patched in 6.1.39, 6.3.13, 6.4.4 and others. CVE-2023-53777 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2023-53777?

CVE-2023-53777 has a CVSS score of pending NVD analysis out of 10, rated awaiting scoring severity.

Is there a patch available for CVE-2023-53777?

Yes, CVE-2023-53777 has been patched. Fixed versions include 6.1.39, 6.3.13, 6.4.4 and others. If you are running Linux kernel 6.0 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2023-53777 actively exploited?

CVE-2023-53777 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2023-53777

In the Linux kernel, the following vulnerability has been resolved: erofs: kill hooked chains to avoid loops on deduplicated compressed images After heavily stressing EROFS with several images which include a hand-crafted image of repeated patterns for more than 46 days, I found two chains could be linked with each other almost simultaneously and form a loop so that the entire loop won't be submitted. As a consequence, the corresponding file pages will remain locked forever. It can be _only_ observed on data-deduplicated compressed images. For example, consider two chains with five pclusters in total: Chain 1: 2->3->4->5 -- The tail pcluster is 5; Chain 2: 5->1->2 -- The tail pcluster is 2. Chain 2 could link to Chain 1 with pcluster 5; and Chain 1 could link to Chain 2 at the same time with pcluster 2. Since hooked chains are all linked locklessly now, I have no idea how to simply avoid the race. Instead, let's avoid hooked chains completely until I could work out a proper way to fix this and end users finally tell us that it's needed to add it back. Actually, this optimization can be found with multi-threaded workloads (especially even more often on deduplicated compressed images), yet I'm not sure about the overall system impacts of not having this compared with implementation complexity.

Package Linux Kernel

Published 2025-12-09

Last modified 2026-04-15

Patch available

Yes

Affected versions

Linux kernel versions 6.0 and later are affected. Fixed in 6.1.39, 6.3.13, 6.4.4, 6.5 and their respective stable series.

Affected from

≥ 6.0

Fixed in

✓ 6.1.39 6.1.x ✓ 6.3.13 6.3.x ✓ 6.4.4 6.4.x ✓ 6.5

References

The following references provide additional information about CVE-2023-53777 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/10c2b98a40d9044a3e97f4697ca6213bad7e19c2
Patch
Kernel patch commit
https://git.kernel.org/stable/c/967c28b23f6c89bb8eef6a046ea88afe0d7c1029
Patch
Kernel patch commit
https://git.kernel.org/stable/c/b5b0d52f00e4bacb0ebdf47cd7016b0485fffad2
Patch

4 patch commits total View all on NVD

Frequently asked questions

What is CVE-2023-53777?

CVE-2023-53777 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 6.0 onward and has been patched in 6.1.39, 6.3.13, 6.4.4 and others. CVE-2023-53777 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
Is there a patch available for CVE-2023-53777?

Yes — CVE-2023-53777 has been patched. Fixed versions include 6.1.39, 6.3.13, 6.4.4 and others. If you are running Linux kernel 6.0 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2023-53777 actively exploited?

No — CVE-2023-53777 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.