CVE-2023-53044: 
Linux Kernel vulnerability analysis and mitigation

A vulnerability in the Linux kernel (CVE-2023-53044) was identified and resolved, specifically affecting the dm-stats functionality. The issue was discovered and disclosed on May 2, 2025, impacting various Linux kernel versions (NVD, Debian Tracker).

The vulnerability involves a failure to properly check and handle allocpercpu() return values in the dmstatsinit() function. When allocpercpu() fails, the function should return an error and allocdev() should fail accordingly. Without this check, a NULL pointer dereference can occur in dmstats_cleanup(), even when dm-stats is not actively being used. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) (Red Hat).

The vulnerability can lead to a NULL pointer dereference in the dmstatscleanup() function, potentially causing system crashes or denial of service conditions, even in scenarios where dm-stats functionality is not actively being used (NVD).

Fixed versions have been released for various Linux distributions. Debian has addressed the issue in multiple versions: bullseye (5.10.234-1), bookworm (6.1.137-1), and trixie/sid (6.12.27-1). Red Hat has deferred fixes for Red Hat Enterprise Linux 9 (Debian Tracker, Red Hat).