DEBIAN-CVE-2023-53726
- Source
- https://security-tracker.debian.org/tracker/CVE-2023-53726
- Import Source
- https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2023-53726.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2023-53726
- Upstream
- Published
- 2025-10-22T14:15:47Z
- Modified
- 2025-10-23T09:19:04.367405Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved: arm64: csum: Fix OoB access in IP checksum code for negative lengths Although commit c2c24edb1d9c ("arm64: csum: Fix pathological zero-length calls") added an early return for zero-length input, syzkaller has popped up with an example of a negative length which causes an undefined shift and an out-of-bounds read: | BUG: KASAN: slab-out-of-bounds in docsum+0x44/0x254 arch/arm64/lib/csum.c:39 | Read of size 4294966928 at addr ffff0000d7ac0170 by task syz-executor412/5975 | | CPU: 0 PID: 5975 Comm: syz-executor412 Not tainted 6.4.0-rc4-syzkaller-g908f31f2a05b #0 | Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023 | Call trace: | dumpbacktrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:233 | showstack+0x2c/0x44 arch/arm64/kernel/stacktrace.c:240 | _dumpstack lib/dumpstack.c:88 [inline] | dumpstacklvl+0xd0/0x124 lib/dumpstack.c:106 | printaddressdescription mm/kasan/report.c:351 [inline] | printreport+0x174/0x514 mm/kasan/report.c:462 | kasanreport+0xd4/0x130 mm/kasan/report.c:572 | kasancheckrange+0x264/0x2a4 mm/kasan/generic.c:187 | _kasancheckread+0x20/0x30 mm/kasan/shadow.c:31 | docsum+0x44/0x254 arch/arm64/lib/csum.c:39 | csumpartial+0x30/0x58 lib/checksum.c:128 | gsomakechecksum include/linux/skbuff.h:4928 [inline] | _udpgsosegment+0xaf4/0x1bc4 net/ipv4/udpoffload.c:332 | udp6ufofragment+0x540/0xca0 net/ipv6/udpoffload.c:47 | ipv6gsosegment+0x5cc/0x1760 net/ipv6/ip6offload.c:119 | skbmacgsosegment+0x2b4/0x5b0 net/core/gro.c:141 | _skbgsosegment+0x250/0x3d0 net/core/dev.c:3401 | skbgsosegment include/linux/netdevice.h:4859 [inline] | validatexmitskb+0x364/0xdbc net/core/dev.c:3659 | validatexmitskblist+0x94/0x130 net/core/dev.c:3709 | schdirectxmit+0xe8/0x548 net/sched/schgeneric.c:327 | _devxmitskb net/core/dev.c:3805 [inline] | _devqueuexmit+0x147c/0x3318 net/core/dev.c:4210 | devqueuexmit include/linux/netdevice.h:3085 [inline] | packetxmit+0x6c/0x318 net/packet/afpacket.c:276 | packetsnd net/packet/afpacket.c:3081 [inline] | packetsendmsg+0x376c/0x4c98 net/packet/afpacket.c:3113 | socksendmsgnosec net/socket.c:724 [inline] | socksendmsg net/socket.c:747 [inline] | _sys_sendto+0x3b4/0x538 net/socket.c:2144 Extend the early return to reject negative lengths as well, aligning our implementation with the generic code in lib/checksum.c
- References
Affected packages
Debian:11 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.10.197-1
Affected versions
5.*
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.1.55-1
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Debian:14 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source