What is CVE-2023-54269?

CVE-2023-54269 is a unscored severity Linux kernel vulnerability, affecting Linux kernel versions from 5.15.35 onward and patched in 5.15.113, 6.1.30, 6.3.4 and others. CVE-2023-54269 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2023-54269?

CVE-2023-54269 has a CVSS score of pending NVD analysis out of 10, rated awaiting scoring severity.

Is there a patch available for CVE-2023-54269?

Yes, CVE-2023-54269 has been patched. Fixed versions include 5.15.113, 6.1.30, 6.3.4 and others. If you are running Linux kernel 5.15.35 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2023-54269 actively exploited?

CVE-2023-54269 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2023-54269

In the Linux kernel, the following vulnerability has been resolved: SUNRPC: double free xprt_ctxt while still in use When an RPC request is deferred, the rq_xprt_ctxt pointer is moved out of the svc_rqst into the svc_deferred_req. When the deferred request is revisited, the pointer is copied into the new svc_rqst - and also remains in the svc_deferred_req. In the (rare?) case that the request is deferred a second time, the old svc_deferred_req is reused - it still has all the correct content. However in that case the rq_xprt_ctxt pointer is NOT cleared so that when xpo_release_xprt is called, the ctxt is freed (UDP) or possible added to a free list (RDMA). When the deferred request is revisited for a second time, it will reference this ctxt which may be invalid, and the free the object a second time which is likely to oops. So change svc_defer() to *always* clear rq_xprt_ctxt, and assert that the value is now stored in the svc_deferred_req.

Package Linux Kernel

Published 2025-12-30

Last modified 2026-04-15

Patch available

Yes

Affected versions

Linux kernel versions 5.15.35, 5.17.4, 5.18 and later are affected. Fixed in 5.15.113, 6.1.30, 6.3.4, 6.4 and their respective stable series.

Affected from

≥ 5.15.35 ≥ 5.17.4 ≥ 5.18

Fixed in

✓ 5.15.113 5.15.x ✓ 6.1.30 6.1.x ✓ 6.3.4 6.3.x ✓ 6.4

References

The following references provide additional information about CVE-2023-54269 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/7851771789e87108a92697194105ef0c9307dc5e
Patch
Kernel patch commit
https://git.kernel.org/stable/c/e0c648627322a4c7e018e5c7f837c3c03e297dbb
Patch
Kernel patch commit
https://git.kernel.org/stable/c/eb8d3a2c809abd73ab0a060fe971d6b9019aa3c1
Patch

4 patch commits total View all on NVD

Frequently asked questions

What is CVE-2023-54269?

CVE-2023-54269 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 5.15.35 onward and has been patched in 5.15.113, 6.1.30, 6.3.4 and others. CVE-2023-54269 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
Is there a patch available for CVE-2023-54269?

Yes — CVE-2023-54269 has been patched. Fixed versions include 5.15.113, 6.1.30, 6.3.4 and others. If you are running Linux kernel 5.15.35 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2023-54269 actively exploited?

No — CVE-2023-54269 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.