DEBIAN-CVE-2023-53517

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2023-53517
Import Source
https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2023-53517.json
JSON Data
https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2023-53517
Upstream
Published
2025-10-01T12:15:55.873Z
Modified
2025-11-17T04:27:49.254952Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved: tipc: do not update mtu if msgmax is too small in mtu negotiation When doing link mtu negotiation, a malicious peer may send Activate msg with a very small mtu, e.g. 4 in Shuang's testing, without checking for the minimum mtu, l->mtu will be set to 4 in tipclinkprotorcv(), then n->links[bearerid].mtu is set to 4294967228, which is a overflow of '4 - INTHSIZE - EMSGOVERHEAD' in tipclinkmss(). With tipclink.mtu = 4, tipclinkxmit() kept printing the warning: tipc: Too large msg, purging xmit list 1 5 0 40 4! tipc: Too large msg, purging xmit list 1 15 0 60 4! And with tipclinkentry.mtu 4294967228, a huge skb was allocated in nameddistribute(), and when purging it in tipclinkxmit(), a crash was even caused: general protection fault, probably for non-canonical address 0x2100001011000dd: 0000 [#1] PREEMPT SMP PTI CPU: 0 PID: 0 Comm: swapper/0 Kdump: loaded Not tainted 6.3.0.neta #19 RIP: 0010:kfreeskblistreason+0x7e/0x1f0 Call Trace: <IRQ> skbreleasedata+0xf9/0x1d0 kfreeskbreason+0x40/0x100 tipclinkxmit+0x57a/0x740 [tipc] tipcnodexmit+0x16c/0x5c0 [tipc] tipcnamednodeup+0x27f/0x2c0 [tipc] tipcnodewriteunlock+0x149/0x170 [tipc] tipcrcv+0x608/0x740 [tipc] tipcudprecv+0xdc/0x1f0 [tipc] udpqueuercvoneskb+0x33e/0x620 udpunicastrcvskb.isra.72+0x75/0x90 _udp4librcv+0x56d/0xc20 ipprotocoldeliverrcu+0x100/0x2d0 This patch fixes it by checking the new mtu against tipcbearerminmtu(), and not updating mtu if it is too small.

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.191-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1
5.10.106-1
5.10.113-1
5.10.120-1~bpo10+1
5.10.120-1
5.10.127-1
5.10.127-2~bpo10+1
5.10.127-2
5.10.136-1
5.10.140-1
5.10.148-1
5.10.149-1
5.10.149-2
5.10.158-1
5.10.158-2
5.10.162-1
5.10.178-1
5.10.178-2
5.10.178-3
5.10.179-1
5.10.179-2
5.10.179-3
5.10.179-4
5.10.179-5

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2023-53517.json"

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.37-1

Affected versions

6.*

6.1.27-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2023-53517.json"

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.3.7-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2023-53517.json"

Debian:14 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.3.7-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2023-53517.json"