CVE-2023-53722: 
Linux Kernel vulnerability analysis and mitigation

CVE-2023-53722 is a vulnerability discovered in the Linux kernel's RAID1 implementation, specifically in the raid1_remove_disk() function. The vulnerability was disclosed on October 22, 2025, affecting various Linux kernel versions. The issue occurs when rddev->raid_disk is greater than mddev->raid_disks, potentially leading to an out-of-bounds access (NVD).

The vulnerability is characterized by a potential out-of-bounds access in the raid1_remove_disk() function when rdev->raid_disk exceeds the configured number of RAID1 mirrors, which could lead to dereferencing beyond conf->mirrors. The issue has been assigned a CVSS 3.1 base score with the vector AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H, indicating local access requirements and high privileges needed for exploitation (RedHat).

The vulnerability can lead to a kernel crash (Denial of Service) during array reconfiguration or disk removal operations. However, the impact is limited by the requirement of root or RAID management privileges to trigger the vulnerable path (RedHat).

The vulnerability has been fixed by implementing a check for the validity of the 'number' variable. Multiple Linux distributions have released patches, including Ubuntu with versions 5.15.0-94.104 for 22.04 LTS and 5.4.0-169.187 for 20.04 LTS, and Red Hat Enterprise Linux with kernel version 4.18.0-553.el8_10 (Ubuntu).