{
  "threat_severity" : "Important",
  "public_date" : "2025-09-15T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: skbuff: Fix a race between coalescing and releasing SKBs",
    "id" : "2395254",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2395254"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nskbuff: Fix a race between coalescing and releasing SKBs\nCommit 1effe8ca4e34 (\"skbuff: fix coalescing for page_pool fragment\nrecycling\") allowed coalescing to proceed with non page pool page and page\npool page when @from is cloned, i.e.\nto->pp_recycle    --> false\nfrom->pp_recycle  --> true\nskb_cloned(from)  --> true\nHowever, it actually requires skb_cloned(@from) to hold true until\ncoalescing finishes in this situation. If the other cloned SKB is\nreleased while the merging is in process, from_shinfo->nr_frags will be\nset to 0 toward the end of the function, causing the increment of frag\npage _refcount to be unexpectedly skipped resulting in inconsistent\nreference counts. Later when SKB(@to) is released, it frees the page\ndirectly even though the page pool page is still in use, leading to\nuse-after-free or double-free errors. So it should be prohibited.\nThe double-free error message below prompted us to investigate:\nBUG: Bad page state in process swapper/1  pfn:0e0d1\npage:00000000c6548b28 refcount:-1 mapcount:0 mapping:0000000000000000\nindex:0x2 pfn:0xe0d1\nflags: 0xfffffc0000000(node=0|zone=1|lastcpupid=0x1fffff)\nraw: 000fffffc0000000 0000000000000000 ffffffff00000101 0000000000000000\nraw: 0000000000000002 0000000000000000 ffffffffffffffff 0000000000000000\npage dumped because: nonzero _refcount\nCPU: 1 PID: 0 Comm: swapper/1 Tainted: G            E      6.2.0+\nCall Trace:\n<IRQ>\ndump_stack_lvl+0x32/0x50\nbad_page+0x69/0xf0\nfree_pcp_prepare+0x260/0x2f0\nfree_unref_page+0x20/0x1c0\nskb_release_data+0x10b/0x1a0\nnapi_consume_skb+0x56/0x150\nnet_rx_action+0xf0/0x350\n? __napi_schedule+0x79/0x90\n__do_softirq+0xc8/0x2b1\n__irq_exit_rcu+0xb9/0xf0\ncommon_interrupt+0x82/0xa0\n</IRQ>\n<TASK>\nasm_common_interrupt+0x22/0x40\nRIP: 0010:default_idle+0xb/0x20" ],
  "statement" : "A race condition in skb_try_coalesce() could lead to use-after-free or double-free when a cloned SKB with page_pool pages is released during coalescing. This results in inconsistent reference counts and potential kernel crashes.\nWhile primarily a denial-of-service issue, exploitation could theoretically be extended to arbitrary code execution, though the complexity of reliably triggering the race is high.\nThe flaw only affects systems with NIC drivers using the page_pool API, limiting its exposure in practice.\nThe bug not actual for Red Hat Enterprise Linux 8 (all versions) and actual only for versions of the Red Hat Enterprise Linux 9 before 9.3.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2025-10-13T00:00:00Z",
    "advisory" : "RHSA-2025:17734",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2",
    "package" : "kernel-0:5.14.0-284.142.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2025-10-14T00:00:00Z",
    "advisory" : "RHSA-2025:17896",
    "cpe" : "cpe:/o:redhat:rhel_e4s:9.2",
    "package" : "kpatch-patch"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53186\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53186\nhttps://lore.kernel.org/linux-cve-announce/2025091557-CVE-2023-53186-25a4@gregkh/T" ],
  "name" : "CVE-2023-53186",
  "mitigation" : {
    "value" : "It is not possible to completely eliminate the theoretical risk of a remote exploit, but the attack is fairly complex and in many realistic deployments cannot be triggered from outside the local network. You can substantially reduce the likelihood of a successful attack by disabling network features that cause drivers to use the page_pool/zero-copy receive paths. The following commands are a conceptual example of mitigations — adapt them to your interface and driver:\n# replace eth0 with the actual interface name\n# turn off generic offloads that often change skb handling\nethtool -K eth0 gro off lro off gso off tso off rx off\n# disable rx/tx offload flags separately:\nethtool -K eth0 rxvlan off rxhash off\n# disable specific features (driver dependent)\nethtool -k eth0",
    "lang" : "en:us"
  },
  "csaw" : false
}