CVE-2023-53506 [High] | Security Vulnerability in Linux Kernel

In the Linux kernel, the following vulnerability has been resolved: udf: Do not bother merging very long extents When merging very long extents we try to push as much length as possible to the first extent. However this is unnecessarily complicated and not really worth the trouble. Furthermore there was a bug in the logic resulting in corrupting extents in the file as syzbot reproducer shows. So just don't bother with the merging of extents that are too long together.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2025-10-01	—	0.02%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2025-10-01

—

0.02%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
7.8	3.1	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	1.8	5.9	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

7.8

3.1

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Click to expand

Attack vector (AV:L): They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L): A normal user session is enough; they don’t have to be admin.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

1.8

5.9

[email protected]

OS Trackers for CVE-2023-53506

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2023-53506 not yet assigned priority: Debian including 1 source packages (linux), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.	https://security-tracker.debian.org/tracker/CVE-2023-53506
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2023-53506
`suse`	low	—	https://www.suse.com/security/cve/CVE-2023-53506/
`ubuntu`	medium	CVE-2023-53506 medium priority: Ubuntu including 158 source packages (linux, linux-allwinner-5.19, …), 1414 status rows across 9 suites (bionic, focal, jammy, noble, plucky, questing, trusty, upstream, xenial): DNE 1017, ignored 162, released 135, not-affected 79, needed 20, needs-triage 1.	https://ubuntu.com/security/CVE-2023-53506

Affected software / configurations for CVE-2023-53506

Vendor	Product	Version	Raw CPE
linux	linux_kernel	>= 2.6.12.1, < 4.14.308	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 4.15, < 4.19.276	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 4.20, < 5.4.235	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 5.5, < 5.10.173	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 5.11, < 5.15.99	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 5.16, < 6.1.16	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.2, < 6.2.3	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	2.6.12	cpe:2.3:o:linux:linux_kernel:2.6.12:-::::::
linux	linux_kernel	2.6.12	cpe:2.3:o:linux:linux_kernel:2.6.12:rc2::::::
linux	linux_kernel	2.6.12	cpe:2.3:o:linux:linux_kernel:2.6.12:rc3::::::
linux	linux_kernel	2.6.12	cpe:2.3:o:linux:linux_kernel:2.6.12:rc4::::::
linux	linux_kernel	2.6.12	cpe:2.3:o:linux:linux_kernel:2.6.12:rc5::::::

References for CVE-2023-53506

URL	Tags
https://git.kernel.org/stable/c/3d20e3b768aff32112bdce8d3219d923ae75f9f1	Patch
https://git.kernel.org/stable/c/53cafe1d6d8ef9f93318e5bfccc0d24f27d41ced	Patch
https://git.kernel.org/stable/c/5d029799d381a9ee06209a222cae75f04c5d5304	Patch
https://git.kernel.org/stable/c/7a965da79f2d22601f329cbfce588386b0847544	Patch
https://git.kernel.org/stable/c/965982feb333aefa9256c0fe188b5f1b958aef63	Patch
https://git.kernel.org/stable/c/9a8d602f0723586e668bae7e65c832ceb9bcc8bc	Patch
https://git.kernel.org/stable/c/adac9ac6d2e04ea0782b91a00ba10706002f3ec4	Patch
https://git.kernel.org/stable/c/d52252a1de4cf96a34f722b0cd8902d8ff78eb57	Patch

URL

CVE-2023-53506 | udf: Do not bother merging very long extents

Exploit prediction scoring system (EPSS) score for CVE-2023-53506

Common vulnerability scoring system (CVSS) metrics for CVE-2023-53506

Weakness enumeration for CVE-2023-53506

OS Trackers for CVE-2023-53506

Affected software / configurations for CVE-2023-53506

References for CVE-2023-53506