{
  "threat_severity" : "Important",
  "public_date" : "2025-05-02T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: veth: Fix use after free in XDP_REDIRECT",
    "id" : "2363720",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2363720"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nveth: Fix use after free in XDP_REDIRECT\nCommit 718a18a0c8a6 (\"veth: Rework veth_xdp_rcv_skb in order\nto accept non-linear skb\") introduced a bug where it tried to\nuse pskb_expand_head() if the headroom was less than\nXDP_PACKET_HEADROOM.  This however uses kmalloc to expand the head,\nwhich will later allow consume_skb() to free the skb while is it still\nin use by AF_XDP.\nPreviously if the headroom was less than XDP_PACKET_HEADROOM we\ncontinued on to allocate a new skb from pages so this restores that\nbehavior.\nBUG: KASAN: use-after-free in __xsk_rcv+0x18d/0x2c0\nRead of size 78 at addr ffff888976250154 by task napi/iconduit-g/148640\nCPU: 5 PID: 148640 Comm: napi/iconduit-g Kdump: loaded Tainted: G           O       6.1.4-cloudflare-kasan-2023.1.2 #1\nHardware name: Quanta Computer Inc. QuantaPlex T41S-2U/S2S-MB, BIOS S2S_3B10.03 06/21/2018\nCall Trace:\n<TASK>\ndump_stack_lvl+0x34/0x48\nprint_report+0x170/0x473\n? __xsk_rcv+0x18d/0x2c0\nkasan_report+0xad/0x130\n? __xsk_rcv+0x18d/0x2c0\nkasan_check_range+0x149/0x1a0\nmemcpy+0x20/0x60\n__xsk_rcv+0x18d/0x2c0\n__xsk_map_redirect+0x1f3/0x490\n? veth_xdp_rcv_skb+0x89c/0x1ba0 [veth]\nxdp_do_redirect+0x5ca/0xd60\nveth_xdp_rcv_skb+0x935/0x1ba0 [veth]\n? __netif_receive_skb_list_core+0x671/0x920\n? veth_xdp+0x670/0x670 [veth]\nveth_xdp_rcv+0x304/0xa20 [veth]\n? do_xdp_generic+0x150/0x150\n? veth_xdp_rcv_one+0xde0/0xde0 [veth]\n? _raw_spin_lock_bh+0xe0/0xe0\n? newidle_balance+0x887/0xe30\n? __perf_event_task_sched_in+0xdb/0x800\nveth_poll+0x139/0x571 [veth]\n? veth_xdp_rcv+0xa20/0xa20 [veth]\n? _raw_spin_unlock+0x39/0x70\n? finish_task_switch.isra.0+0x17e/0x7d0\n? __switch_to+0x5cf/0x1070\n? __schedule+0x95b/0x2640\n? io_schedule_timeout+0x160/0x160\n__napi_poll+0xa1/0x440\nnapi_threaded_poll+0x3d1/0x460\n? __napi_poll+0x440/0x440\n? __kthread_parkme+0xc6/0x1f0\n? __napi_poll+0x440/0x440\nkthread+0x2a2/0x340\n? kthread_complete_and_exit+0x20/0x20\nret_from_fork+0x22/0x30\n</TASK>\nFreed by task 148640:\nkasan_save_stack+0x23/0x50\nkasan_set_track+0x21/0x30\nkasan_save_free_info+0x2a/0x40\n____kasan_slab_free+0x169/0x1d0\nslab_free_freelist_hook+0xd2/0x190\n__kmem_cache_free+0x1a1/0x2f0\nskb_release_data+0x449/0x600\nconsume_skb+0x9f/0x1c0\nveth_xdp_rcv_skb+0x89c/0x1ba0 [veth]\nveth_xdp_rcv+0x304/0xa20 [veth]\nveth_poll+0x139/0x571 [veth]\n__napi_poll+0xa1/0x440\nnapi_threaded_poll+0x3d1/0x460\nkthread+0x2a2/0x340\nret_from_fork+0x22/0x30\nThe buggy address belongs to the object at ffff888976250000\nwhich belongs to the cache kmalloc-2k of size 2048\nThe buggy address is located 340 bytes inside of\n2048-byte region [ffff888976250000, ffff888976250800)\nThe buggy address belongs to the physical page:\npage:00000000ae18262a refcount:2 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x976250\nhead:00000000ae18262a order:3 compound_mapcount:0 compound_pincount:0\nflags: 0x2ffff800010200(slab|head|node=0|zone=2|lastcpupid=0x1ffff)\nraw: 002ffff800010200 0000000000000000 dead000000000122 ffff88810004cf00\nraw: 0000000000000000 0000000080080008 00000002ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\nMemory state around the buggy address:\nffff888976250000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\nffff888976250080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n> ffff888976250100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n^\nffff888976250180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\nffff888976250200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb", "A use-after-free vulnerability has been identified within the veth_convert_skb_to_xdp_buff() function of the Linux kernel's veth driver. The flaw stems from improper memory management during packet headroom expansion for XDP (eXpress Data Path). Specifically, when the pskb_expand_head() function allocates new memory via kmalloc to increase the packet headroom to meet the XDP_PACKET_HEADROOM requirement, a subsequent call to consume_skb() can prematurely free this memory while the AF_XDP subsystem is still actively processing the packet. This premature deallocation leads to a use-after-free condition. Successful exploitation of this vulnerability could result in memory corruption, denial of service, and overall system instability." ],
  "statement" : "v",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support",
    "release_date" : "2025-05-26T00:00:00Z",
    "advisory" : "RHSA-2025:8133",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.2",
    "package" : "kernel-0:5.14.0-284.118.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support",
    "release_date" : "2025-05-26T00:00:00Z",
    "advisory" : "RHSA-2025:8134",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.2::nfv",
    "package" : "kernel-rt-0:5.14.0-284.118.1.rt14.403.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2025-06-02T00:00:00Z",
    "advisory" : "RHSA-2025:8399",
    "cpe" : "cpe:/o:redhat:rhel_e4s:9.2",
    "package" : "kpatch-patch"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53107\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53107\nhttps://lore.kernel.org/linux-cve-announce/2025050226-CVE-2023-53107-ef59@gregkh/T" ],
  "name" : "CVE-2023-53107",
  "csaw" : false
}