{
  "threat_severity" : "Moderate",
  "public_date" : "2025-09-15T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: xfrm: add NULL check in xfrm_update_ae_params",
    "id" : "2395408",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2395408"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-476",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nxfrm: add NULL check in xfrm_update_ae_params\nNormally, x->replay_esn and x->preplay_esn should be allocated at\nxfrm_alloc_replay_state_esn(...) in xfrm_state_construct(...), hence the\nxfrm_update_ae_params(...) is okay to update them. However, the current\nimplementation of xfrm_new_ae(...) allows a malicious user to directly\ndereference a NULL pointer and crash the kernel like below.\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nPGD 8253067 P4D 8253067 PUD 8e0e067 PMD 0\nOops: 0002 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 0 PID: 98 Comm: poc.npd Not tainted 6.4.0-rc7-00072-gdad9774deaf1 #8\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.o4\nRIP: 0010:memcpy_orig+0xad/0x140\nCode: e8 4c 89 5f e0 48 8d 7f e0 73 d2 83 c2 20 48 29 d6 48 29 d7 83 fa 10 72 34 4c 8b 06 4c 8b 4e 08 c\nRSP: 0018:ffff888008f57658 EFLAGS: 00000202\nRAX: 0000000000000000 RBX: ffff888008bd0000 RCX: ffffffff8238e571\nRDX: 0000000000000018 RSI: ffff888007f64844 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: ffff888008f57818\nR13: ffff888007f64aa4 R14: 0000000000000000 R15: 0000000000000000\nFS:  00000000014013c0(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000000 CR3: 00000000054d8000 CR4: 00000000000006f0\nCall Trace:\n<TASK>\n? __die+0x1f/0x70\n? page_fault_oops+0x1e8/0x500\n? __pfx_is_prefetch.constprop.0+0x10/0x10\n? __pfx_page_fault_oops+0x10/0x10\n? _raw_spin_unlock_irqrestore+0x11/0x40\n? fixup_exception+0x36/0x460\n? _raw_spin_unlock_irqrestore+0x11/0x40\n? exc_page_fault+0x5e/0xc0\n? asm_exc_page_fault+0x26/0x30\n? xfrm_update_ae_params+0xd1/0x260\n? memcpy_orig+0xad/0x140\n? __pfx__raw_spin_lock_bh+0x10/0x10\nxfrm_update_ae_params+0xe7/0x260\nxfrm_new_ae+0x298/0x4e0\n? __pfx_xfrm_new_ae+0x10/0x10\n? __pfx_xfrm_new_ae+0x10/0x10\nxfrm_user_rcv_msg+0x25a/0x410\n? __pfx_xfrm_user_rcv_msg+0x10/0x10\n? __alloc_skb+0xcf/0x210\n? stack_trace_save+0x90/0xd0\n? filter_irq_stacks+0x1c/0x70\n? __stack_depot_save+0x39/0x4e0\n? __kasan_slab_free+0x10a/0x190\n? kmem_cache_free+0x9c/0x340\n? netlink_recvmsg+0x23c/0x660\n? sock_recvmsg+0xeb/0xf0\n? __sys_recvfrom+0x13c/0x1f0\n? __x64_sys_recvfrom+0x71/0x90\n? do_syscall_64+0x3f/0x90\n? entry_SYSCALL_64_after_hwframe+0x72/0xdc\n? copyout+0x3e/0x50\nnetlink_rcv_skb+0xd6/0x210\n? __pfx_xfrm_user_rcv_msg+0x10/0x10\n? __pfx_netlink_rcv_skb+0x10/0x10\n? __pfx_sock_has_perm+0x10/0x10\n? mutex_lock+0x8d/0xe0\n? __pfx_mutex_lock+0x10/0x10\nxfrm_netlink_rcv+0x44/0x50\nnetlink_unicast+0x36f/0x4c0\n? __pfx_netlink_unicast+0x10/0x10\n? netlink_recvmsg+0x500/0x660\nnetlink_sendmsg+0x3b7/0x700\nThis Null-ptr-deref bug is assigned CVE-2023-3772. And this commit\nadds additional NULL check in xfrm_update_ae_params to fix the NPD." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-11-14T00:00:00Z",
    "advisory" : "RHSA-2023:7077",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-513.5.1.el8_9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support",
    "release_date" : "2024-01-30T00:00:00Z",
    "advisory" : "RHSA-2024:0575",
    "cpe" : "cpe:/o:redhat:rhel_eus:8.8",
    "package" : "kernel-0:4.18.0-477.43.1.el8_8"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53147\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53147\nhttps://lore.kernel.org/linux-cve-announce/2025091551-CVE-2023-53147-8f20@gregkh/T" ],
  "name" : "CVE-2023-53147",
  "csaw" : false
}