CVE-2023-53373: 
Linux Kernel vulnerability analysis and mitigation

CVE-2023-53373 is a vulnerability discovered in the Linux kernel's crypto subsystem, specifically in the seqiv (Sequential IV) component. The vulnerability was disclosed on September 18, 2025. The issue affects various Linux distributions and their kernel implementations (Ubuntu Security, Debian Security).

The vulnerability stems from improper handling of the EBUSY return value in the seqiv component. While seqiv handles the special return value of EINPROGRESS, it fails to properly handle EBUSY cases. When the caller specifies MAY_BACKLOG, the component should expect and handle EBUSY similarly. The current implementation incorrectly frees data related to the request in these cases, which can lead to a use-after-free condition (Debian Security).

The vulnerability can trigger a use-after-free condition when handling backlogged requests in the crypto subsystem. This could potentially lead to system instability or security implications in the affected Linux kernel versions (Ubuntu Security).

Multiple Linux distributions have released patches to address this vulnerability. Ubuntu has fixed the issue in various kernel versions, including linux-hwe-5.15 (5.15.0-75.82~20.04.1), linux-azure (5.15.0-1040.47), and linux-kvm (5.15.0-1035.40). Debian has also released fixes for multiple versions including bullseye (5.10.237-1), bookworm (6.1.153-1), and trixie (6.12.48-1) (Ubuntu Security, Debian Security).