CVE-2023-52935

CVE-2023-52935 is a race condition vulnerability in the Linux kernel's mm/khugepaged subsystem, which handles transparent huge page collapsing. The issue arises because retract_page_tables() checks for an attached ->anon_vma before holding the mmap lock, despite page table removal requiring the mmap lock, anon_vma lock (if applicable), and mapping lock. If an ->anon_vma is racily merged from a neighboring VMA (such as one shared with a child process), concurrent rmap traversals can access page tables being removed, assuming exclusive access. This triggers a lockdep warning in collapse_and_free_pmd() due to unheld anon_vma->root->rwsem and can result in use-after-free access (CWE-416).

A local attacker with low privileges can exploit this vulnerability (CVSS:3.1 score of 7.8; AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). By triggering khugepaged operations on VMAs with shared anon_vmas, such as through process forking and memory access patterns, the attacker can race the page table retraction, leading to use-after-free conditions that enable high-impact confidentiality, integrity, and availability violations, potentially including arbitrary code execution or system crashes.

The provided references point to stable kernel commit patches that resolve the issue by repeating the ->anon_vma check after acquiring the mmap lock, ensuring no concurrent page table access during removal. Security practitioners should update to kernels incorporating these fixes (e.g., commits 023f47a8250c6bdb4aebe744db4bf7f73414028b, 352fbf61ce776fef18dca6a68680a6cd943dac95, and others listed) to mitigate the vulnerability.