CVE-2023-53333
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-16

Last updated on: 2025-12-10

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: conntrack: dccp: copy entire header to stack buffer, not just basic one Eric Dumazet says: nf_conntrack_dccp_packet() has an unique: dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh); And nothing more is 'pulled' from the packet, depending on the content. dh->dccph_doff, and/or dh->dccph_x ...) So dccp_ack_seq() is happily reading stuff past the _dh buffer. BUG: KASAN: stack-out-of-bounds in nf_conntrack_dccp_packet+0x1134/0x11c0 Read of size 4 at addr ffff000128f66e0c by task syz-executor.2/29371 [..] Fix this by increasing the stack buffer to also include room for the extra sequence numbers and all the known dccp packet type headers, then pull again after the initial validation of the basic header. While at it, mark packets invalid that lack 48bit sequence bit but where RFC says the type MUST use them. Compile tested only. v2: first skb_header_pointer() now needs to adjust the size to only pull the generic header. (Eric) Heads-up: I intend to remove dccp conntrack support later this year.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-16
Last Modified
2025-12-10
Generated
2026-05-06
AI Q&A
2025-09-16
EPSS Evaluated
2026-05-05
NVD
CVE-2023-53333
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 2.6.26 (inc) to 5.4.251 (exc)
linux linux_kernel From 5.5 (inc) to 5.10.188 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.121 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.39 (exc)
linux linux_kernel From 6.2 (inc) to 6.3.13 (exc)
linux linux_kernel From 6.4 (inc) to 6.4.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in the Linux kernel's netfilter conntrack for DCCP involves improper handling of packet headers. Specifically, the code only copied the basic DCCP header to a stack buffer but then read beyond this buffer when accessing additional fields like sequence numbers. This caused a stack-out-of-bounds read, which is a memory safety issue. The fix involved increasing the stack buffer size to include all necessary header parts and validating packets more thoroughly.


How can this vulnerability impact me? :

The vulnerability can lead to a stack-out-of-bounds read in the Linux kernel, which may cause kernel crashes or undefined behavior. This can potentially be exploited to compromise system stability or security, such as causing denial of service or enabling further attacks on the kernel.


What immediate steps should I take to mitigate this vulnerability?

Apply the patch or update the Linux kernel to a version where the netfilter conntrack dccp vulnerability has been fixed. Since the issue involves stack buffer overflow in nf_conntrack_dccp_packet, updating the kernel to include the fix that increases the stack buffer size and validates packet headers properly is necessary. Additionally, consider disabling dccp conntrack support if possible, as it is planned to be removed.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart