1. Home
  2. Vulnerabilities
  3. CVE-2023-53998
0.0
NA
CVE-2023-53998
hwrng: virtio - Fix race on data_avail and actual data
Description

In the Linux kernel, the following vulnerability has been resolved: hwrng: virtio - Fix race on data_avail and actual data The virtio rng device kicks off a new entropy request whenever the data available reaches zero. When a new request occurs at the end of a read operation, that is, when the result of that request is only needed by the next reader, then there is a race between the writing of the new data and the next reader. This is because there is no synchronisation whatsoever between the writer and the reader. Fix this by writing data_avail with smp_store_release and reading it with smp_load_acquire when we first enter read. The subsequent reads are safe because they're either protected by the first load acquire, or by the completion mechanism. Also remove the redundant zeroing of data_idx in random_recv_done (data_idx must already be zero at this point) and data_avail in request_entropy (ditto).

INFO

Published Date :

Dec. 24, 2025, 11:15 a.m.

Last Modified :

Dec. 24, 2025, 11:15 a.m.

Remotely Exploit :

No

Source :

416baaa9-dc9f-4396-8d5f-8c081fb06d67
Affected Products

The following products are affected by CVE-2023-53998 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

No affected product recoded yet

: Total Affected Vendor : 0 | Products : 0
Solution
Apply kernel updates to synchronize reader and writer operations.
  • Update the Linux kernel to the latest version.
  • Ensure kernel modules are properly synchronized.
  • Review synchronization mechanisms for data access.
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2023-53998.

URL Resource
https://git.kernel.org/stable/c/22c30022cde6e2c88612b3a499223cfa912f1bc7
https://git.kernel.org/stable/c/241ef15776a7c8505008db689175b320d345ecd3
https://git.kernel.org/stable/c/2fc91f156b3f3446a1bce80cf4adedcbf41271c2
https://git.kernel.org/stable/c/318657b4c2077289659f1cd9e2a34f6a3b208e3e
https://git.kernel.org/stable/c/77471e4912d3960dafe141e268c44be8024fe4dc
https://git.kernel.org/stable/c/a43bcb0b661cbbf3ad797d2aee6b6fd06b8fc69d
https://git.kernel.org/stable/c/ac52578d6e8d300dd50f790f29a24169b1edd26c
https://git.kernel.org/stable/c/c76d991b6f01a5d931e7053a73bc9524975a5215
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2023-53998 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2023-53998 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2023-53998 vulnerability anywhere in the article.

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2023-53998 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • New CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Dec. 24, 2025

    Action Type Old Value New Value
    Added Description In the Linux kernel, the following vulnerability has been resolved: hwrng: virtio - Fix race on data_avail and actual data The virtio rng device kicks off a new entropy request whenever the data available reaches zero. When a new request occurs at the end of a read operation, that is, when the result of that request is only needed by the next reader, then there is a race between the writing of the new data and the next reader. This is because there is no synchronisation whatsoever between the writer and the reader. Fix this by writing data_avail with smp_store_release and reading it with smp_load_acquire when we first enter read. The subsequent reads are safe because they're either protected by the first load acquire, or by the completion mechanism. Also remove the redundant zeroing of data_idx in random_recv_done (data_idx must already be zero at this point) and data_avail in request_entropy (ditto).
    Added Reference https://git.kernel.org/stable/c/22c30022cde6e2c88612b3a499223cfa912f1bc7
    Added Reference https://git.kernel.org/stable/c/241ef15776a7c8505008db689175b320d345ecd3
    Added Reference https://git.kernel.org/stable/c/2fc91f156b3f3446a1bce80cf4adedcbf41271c2
    Added Reference https://git.kernel.org/stable/c/318657b4c2077289659f1cd9e2a34f6a3b208e3e
    Added Reference https://git.kernel.org/stable/c/77471e4912d3960dafe141e268c44be8024fe4dc
    Added Reference https://git.kernel.org/stable/c/a43bcb0b661cbbf3ad797d2aee6b6fd06b8fc69d
    Added Reference https://git.kernel.org/stable/c/ac52578d6e8d300dd50f790f29a24169b1edd26c
    Added Reference https://git.kernel.org/stable/c/c76d991b6f01a5d931e7053a73bc9524975a5215
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
Vulnerability Scoring Details
No CVSS metrics available for this vulnerability.