CVE-2023-53586: 
Linux Kernel vulnerability analysis and mitigation

A vulnerability in the Linux kernel's SCSI target subsystem was discovered, identified as CVE-2023-53586. The issue was related to improper handling of multiple LUN_RESET commands, which was introduced by commit 51ec502a3266 ("target: Delete tmr from list before processing"). The vulnerability was disclosed on October 4, 2025 (NVD).

The vulnerability occurs in a specific sequence of events involving multiple I/O commands running across two sessions. When an initiator sends LUNRESET commands for each session, the first session's LUNRESET moves all running commands to its local draintasklist. The second session's LUNRESET fails to see the first session's LUNRESET due to premature removal, resulting in a race condition. The issue has been assigned a CVSS v3.1 base score of 7.0, indicating high severity (Red Hat).

When exploited, this vulnerability can lead to a situation where the initiator incorrectly believes that running commands have been cleaned up when they haven't. This can result in command restart attempts while the original commands are still processing, potentially leading to invalid ITT errors or accidental task lookups if the ITT has been reallocated (NVD).

The fix involves reverting the problematic patch and implementing serialization of LUNRESETs, Preempt, and Abort operations. Additionally, modifications were made to prevent waiting on LUNRESETs in coretmrdraintmrlist to avoid potential deadlocks (NVD).