What is CVE-2023-54156?

CVE-2023-54156 is a unscored severity Linux kernel vulnerability, affecting Linux kernel versions from 5.9 onward and patched in 5.10.188, 5.15.121, 6.1.39 and others. CVE-2023-54156 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2023-54156?

CVE-2023-54156 has a CVSS score of pending NVD analysis out of 10, rated awaiting scoring severity.

Is there a patch available for CVE-2023-54156?

Yes, CVE-2023-54156 has been patched. Fixed versions include 5.10.188, 5.15.121, 6.1.39 and others. If you are running Linux kernel 5.9 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2023-54156 actively exploited?

CVE-2023-54156 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2023-54156

In the Linux kernel, the following vulnerability has been resolved: sfc: fix crash when reading stats while NIC is resetting efx_net_stats() (.ndo_get_stats64) can be called during an ethtool selftest, during which time nic_data->mc_stats is NULL as the NIC has been fini'd. In this case do not attempt to fetch the latest stats from the hardware, else we will crash on a NULL dereference: BUG: kernel NULL pointer dereference, address: 0000000000000038 RIP efx_nic_update_stats abridged calltrace: efx_ef10_update_stats_pf efx_net_stats dev_get_stats dev_seq_printf_stats Skipping the read is safe, we will simply give out stale stats. To ensure that the free in efx_ef10_fini_nic() does not race against efx_ef10_update_stats_pf(), which could cause a TOCTTOU bug, take the efx->stats_lock in fini_nic (it is already held across update_stats).

Package Linux Kernel

Published 2025-12-24

Last modified 2026-04-15

Patch available

Yes

Affected versions

Linux kernel versions 5.9 and later are affected. Fixed in 5.10.188, 5.15.121, 6.1.39, 6.3.13, 6.4.4, 6.5 and their respective stable series.

Affected from

≥ 5.9

Fixed in

✓ 5.10.188 5.10.x ✓ 5.15.121 5.15.x ✓ 6.1.39 6.1.x ✓ 6.3.13 6.3.x ✓ 6.4.4 6.4.x ✓ 6.5

References

The following references provide additional information about CVE-2023-54156 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/446f5567934331923d0aec4ce045e4ecb0174aae
Patch
Kernel patch commit
https://git.kernel.org/stable/c/470152d76b3ed107d172ea46acc4bfa941f20b4b
Patch
Kernel patch commit
https://git.kernel.org/stable/c/91f4ef204e731565afdc6c2a7fcf509a3fd6fd67
Patch

6 patch commits total View all on NVD

Frequently asked questions

What is CVE-2023-54156?

CVE-2023-54156 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 5.9 onward and has been patched in 5.10.188, 5.15.121, 6.1.39 and others. CVE-2023-54156 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
Is there a patch available for CVE-2023-54156?

Yes — CVE-2023-54156 has been patched. Fixed versions include 5.10.188, 5.15.121, 6.1.39 and others. If you are running Linux kernel 5.9 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2023-54156 actively exploited?

No — CVE-2023-54156 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.