CVE-2023-53354
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-17

Last updated on: 2025-12-11

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: skbuff: skb_segment, Call zero copy functions before using skbuff frags Commit bf5c25d60861 ("skbuff: in skb_segment, call zerocopy functions once per nskb") added the call to zero copy functions in skb_segment(). The change introduced a bug in skb_segment() because skb_orphan_frags() may possibly change the number of fragments or allocate new fragments altogether leaving nrfrags and frag to point to the old values. This can cause a panic with stacktrace like the one below. [ 193.894380] BUG: kernel NULL pointer dereference, address: 00000000000000bc [ 193.895273] CPU: 13 PID: 18164 Comm: vh-net-17428 Kdump: loaded Tainted: G O 5.15.123+ #26 [ 193.903919] RIP: 0010:skb_segment+0xb0e/0x12f0 [ 194.021892] Call Trace: [ 194.027422] <TASK> [ 194.072861] tcp_gso_segment+0x107/0x540 [ 194.082031] inet_gso_segment+0x15c/0x3d0 [ 194.090783] skb_mac_gso_segment+0x9f/0x110 [ 194.095016] __skb_gso_segment+0xc1/0x190 [ 194.103131] netem_enqueue+0x290/0xb10 [sch_netem] [ 194.107071] dev_qdisc_enqueue+0x16/0x70 [ 194.110884] __dev_queue_xmit+0x63b/0xb30 [ 194.121670] bond_start_xmit+0x159/0x380 [bonding] [ 194.128506] dev_hard_start_xmit+0xc3/0x1e0 [ 194.131787] __dev_queue_xmit+0x8a0/0xb30 [ 194.138225] macvlan_start_xmit+0x4f/0x100 [macvlan] [ 194.141477] dev_hard_start_xmit+0xc3/0x1e0 [ 194.144622] sch_direct_xmit+0xe3/0x280 [ 194.147748] __dev_queue_xmit+0x54a/0xb30 [ 194.154131] tap_get_user+0x2a8/0x9c0 [tap] [ 194.157358] tap_sendmsg+0x52/0x8e0 [tap] [ 194.167049] handle_tx_zerocopy+0x14e/0x4c0 [vhost_net] [ 194.173631] handle_tx+0xcd/0xe0 [vhost_net] [ 194.176959] vhost_worker+0x76/0xb0 [vhost] [ 194.183667] kthread+0x118/0x140 [ 194.190358] ret_from_fork+0x1f/0x30 [ 194.193670] </TASK> In this case calling skb_orphan_frags() updated nr_frags leaving nrfrags local variable in skb_segment() stale. This resulted in the code hitting i >= nrfrags prematurely and trying to move to next frag_skb using list_skb pointer, which was NULL, and caused kernel panic. Move the call to zero copy functions before using frags and nr_frags.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-17
Last Modified
2025-12-11
Generated
2026-05-07
AI Q&A
2025-09-17
EPSS Evaluated
2026-05-05
NVD
CVE-2023-53354
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 4.16 (inc) to 4.19.295 (exc)
linux linux_kernel From 4.20 (inc) to 5.4.257 (exc)
linux linux_kernel From 5.5 (inc) to 5.10.195 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.132 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.53 (exc)
linux linux_kernel From 6.2 (inc) to 6.4.16 (exc)
linux linux_kernel From 6.5 (inc) to 6.5.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a bug in the Linux kernel's skb_segment() function related to zero copy operations on socket buffers (skbuff). A recent change introduced a bug where skb_orphan_frags() can modify the number of fragments, leaving local variables stale. This causes the function to access a NULL pointer, leading to a kernel panic (crash). Essentially, the kernel tries to use invalid memory due to incorrect handling of skbuff fragments.


How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to panic and crash, resulting in a denial of service. Systems affected by this bug may become unstable or unresponsive, potentially disrupting network operations or other services relying on the kernel's networking stack.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring your system logs for kernel panic messages or NULL pointer dereference errors related to skb_segment, as shown in the provided stacktrace. You can check the kernel log using commands like 'dmesg | grep skb_segment' or 'journalctl -k | grep skb_segment' to look for related panic or error messages.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation involves updating your Linux kernel to a version that includes the fix for this vulnerability, where the call to zero copy functions is moved before using skbuff fragments in skb_segment(). Until then, avoid workloads or configurations that heavily use skb_segment or zero copy functions that might trigger this bug to prevent kernel panic.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart