CVE-2023-53354

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-53354
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53354.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-53354
Downstream
Related
Published
2025-09-17T14:56:44.388Z
Modified
2026-03-20T12:33:07.156Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
skbuff: skb_segment, Call zero copy functions before using skbuff frags
Details

In the Linux kernel, the following vulnerability has been resolved:

skbuff: skb_segment, Call zero copy functions before using skbuff frags

Commit bf5c25d60861 ("skbuff: in skbsegment, call zerocopy functions once per nskb") added the call to zero copy functions in skbsegment(). The change introduced a bug in skbsegment() because skborphan_frags() may possibly change the number of fragments or allocate new fragments altogether leaving nrfrags and frag to point to the old values. This can cause a panic with stacktrace like the one below.

[ 193.894380] BUG: kernel NULL pointer dereference, address: 00000000000000bc [ 193.895273] CPU: 13 PID: 18164 Comm: vh-net-17428 Kdump: loaded Tainted: G O 5.15.123+ #26 [ 193.903919] RIP: 0010:skbsegment+0xb0e/0x12f0 [ 194.021892] Call Trace: [ 194.027422] <TASK> [ 194.072861] tcpgsosegment+0x107/0x540 [ 194.082031] inetgsosegment+0x15c/0x3d0 [ 194.090783] skbmacgsosegment+0x9f/0x110 [ 194.095016] __skbgsosegment+0xc1/0x190 [ 194.103131] netemenqueue+0x290/0xb10 [schnetem] [ 194.107071] devqdiscenqueue+0x16/0x70 [ 194.110884] __devqueuexmit+0x63b/0xb30 [ 194.121670] bondstartxmit+0x159/0x380 [bonding] [ 194.128506] devhardstart_xmit+0xc3/0x1e0 [ 194.131787] __devqueuexmit+0x8a0/0xb30 [ 194.138225] macvlanstartxmit+0x4f/0x100 [macvlan] [ 194.141477] devhardstartxmit+0xc3/0x1e0 [ 194.144622] schdirect_xmit+0xe3/0x280 [ 194.147748] _devqueuexmit+0x54a/0xb30 [ 194.154131] tapgetuser+0x2a8/0x9c0 [tap] [ 194.157358] tapsendmsg+0x52/0x8e0 [tap] [ 194.167049] handletxzerocopy+0x14e/0x4c0 [vhostnet] [ 194.173631] handletx+0xcd/0xe0 [vhostnet] [ 194.176959] vhostworker+0x76/0xb0 [vhost] [ 194.183667] kthread+0x118/0x140 [ 194.190358] retfromfork+0x1f/0x30 [ 194.193670] </TASK>

In this case calling skborphanfrags() updated nrfrags leaving nrfrags local variable in skbsegment() stale. This resulted in the code hitting i >= nrfrags prematurely and trying to move to next fragskb using listskb pointer, which was NULL, and caused kernel panic. Move the call to zero copy functions before using frags and nr_frags.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53354.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
bf5c25d608613eaf4dcdba5a9cac5b2afe67d635
Fixed
fcab3f661dbfd88e27ddbbe65368f3fa2d823175
Fixed
d44403ec0676317b7f7edf2a035bb219fee3304e
Fixed
8836c266201c29a5acb4f582227686f47b65ad61
Fixed
d5790386595d06ea9decfd9ba5f1ea48cf09aa02
Fixed
04c3eee4e13f60bf6f9a366ad39f88a01a57166e
Fixed
f99006e840a4dbc8f5a34cecc6b5b26c73ef49bb
Fixed
6c26ed3c6abe86ddab0510529000b970b05c9b40
Fixed
2ea35288c83b3d501a88bc17f2df8f176b5cc96f

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53354.json"