{ "threat_severity" : "Moderate", "public_date" : "2025-09-15T00:00:00Z", "bugzilla" : { "description" : "kernel: Linux kernel: Out-of-bounds write in VXLAN due to incorrect nexthop hash size leading to denial of service", "id" : "2395232", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2395232" }, "cvss3" : { "cvss3_base_score" : "6.0", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-190", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nvxlan: Fix nexthop hash size\nThe nexthop code expects a 31 bit hash, such as what is returned by\nfib_multipath_hash() and rt6_multipath_hash(). Passing the 32 bit hash\nreturned by skb_get_hash() can lead to problems related to the fact that\n'int hash' is a negative number when the MSB is set.\nIn the case of hash threshold nexthop groups, nexthop_select_path_hthr()\nwill disproportionately select the first nexthop group entry. In the case\nof resilient nexthop groups, nexthop_select_path_res() may do an out of\nbounds access in nh_buckets[], for example:\nhash = -912054133\nnum_nh_buckets = 2\nbucket_index = 65535\nwhich leads to the following panic:\nBUG: unable to handle page fault for address: ffffc900025910c8\nPGD 100000067 P4D 100000067 PUD 10026b067 PMD 0\nOops: 0002 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 4 PID: 856 Comm: kworker/4:3 Not tainted 6.5.0-rc2+ #34\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nWorkqueue: ipv6_addrconf addrconf_dad_work\nRIP: 0010:nexthop_select_path+0x197/0xbf0\nCode: c1 e4 05 be 08 00 00 00 4c 8b 35 a4 14 7e 01 4e 8d 6c 25 00 4a 8d 7c 25 08 48 01 dd e8 c2 25 15 ff 49 8d 7d 08 e8 39 13 15 ff <4d> 89 75 08 48 89 ef e8 7d 12 15 ff 48 8b 5d 00 e8 14 55 2f 00 85\nRSP: 0018:ffff88810c36f260 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 00000000002000c0 RCX: ffffffffaf02dd77\nRDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffffc900025910c8\nRBP: ffffc900025910c0 R08: 0000000000000001 R09: fffff520004b2219\nR10: ffffc900025910cf R11: 31392d2068736168 R12: 00000000002000c0\nR13: ffffc900025910c0 R14: 00000000fffef608 R15: ffff88811840e900\nFS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffc900025910c8 CR3: 0000000129d00000 CR4: 0000000000750ee0\nPKRU: 55555554\nCall Trace:\n\n? __die+0x23/0x70\n? page_fault_oops+0x1ee/0x5c0\n? __pfx_is_prefetch.constprop.0+0x10/0x10\n? __pfx_page_fault_oops+0x10/0x10\n? search_bpf_extables+0xfe/0x1c0\n? fixup_exception+0x3b/0x470\n? exc_page_fault+0xf6/0x110\n? asm_exc_page_fault+0x26/0x30\n? nexthop_select_path+0x197/0xbf0\n? nexthop_select_path+0x197/0xbf0\n? lock_is_held_type+0xe7/0x140\nvxlan_xmit+0x5b2/0x2340\n? __lock_acquire+0x92b/0x3370\n? __pfx_vxlan_xmit+0x10/0x10\n? __pfx___lock_acquire+0x10/0x10\n? __pfx_register_lock_class+0x10/0x10\n? skb_network_protocol+0xce/0x2d0\n? dev_hard_start_xmit+0xca/0x350\n? __pfx_vxlan_xmit+0x10/0x10\ndev_hard_start_xmit+0xca/0x350\n__dev_queue_xmit+0x513/0x1e20\n? __pfx___dev_queue_xmit+0x10/0x10\n? __pfx_lock_release+0x10/0x10\n? mark_held_locks+0x44/0x90\n? skb_push+0x4c/0x80\n? eth_header+0x81/0xe0\n? __pfx_eth_header+0x10/0x10\n? neigh_resolve_output+0x215/0x310\n? ip6_finish_output2+0x2ba/0xc90\nip6_finish_output2+0x2ba/0xc90\n? lock_release+0x236/0x3e0\n? ip6_mtu+0xbb/0x240\n? __pfx_ip6_finish_output2+0x10/0x10\n? find_held_lock+0x83/0xa0\n? lock_is_held_type+0xe7/0x140\nip6_finish_output+0x1ee/0x780\nip6_output+0x138/0x460\n? __pfx_ip6_output+0x10/0x10\n? __pfx___lock_acquire+0x10/0x10\n? __pfx_ip6_finish_output+0x10/0x10\nNF_HOOK.constprop.0+0xc0/0x420\n? __pfx_NF_HOOK.constprop.0+0x10/0x10\n? ndisc_send_skb+0x2c0/0x960\n? __pfx_lock_release+0x10/0x10\n? __local_bh_enable_ip+0x93/0x110\n? lock_is_held_type+0xe7/0x140\nndisc_send_skb+0x4be/0x960\n? __pfx_ndisc_send_skb+0x10/0x10\n? mark_held_locks+0x65/0x90\n? find_held_lock+0x83/0xa0\nndisc_send_ns+0xb0/0x110\n? __pfx_ndisc_send_ns+0x10/0x10\naddrconf_dad_work+0x631/0x8e0\n? lock_acquire+0x180/0x3f0\n? __pfx_addrconf_dad_work+0x10/0x10\n? mark_held_locks+0x24/0x90\nprocess_one_work+0x582/0x9c0\n? __pfx_process_one_work+0x10/0x10\n? __pfx_do_raw_spin_lock+0x10/0x10\n? mark_held_locks+0x24/0x90\nworker_thread+0x93/0x630\n? __kthread_parkme+0xdc/0x100\n? __pfx_worker_thread+0x10/0x10\nkthread+0x1a5/0x1e0\n? __pfx_kthread+0x10/0x10\nret_from_fork+0x34/0x60\n---truncated---", "A flaw was found in the Linux kernel's Virtual Extensible LAN (VXLAN) implementation. An attacker with elevated privileges (CAP_NET_ADMIN) can exploit this vulnerability by configuring the system to accept and forward VXLAN packets. The issue arises from an incorrect nexthop hash size, where a 32-bit hash is used instead of the expected 31-bit hash, leading to negative hash values. This can cause an out-of-bounds write in the nexthop group selection, resulting in a kernel panic and a denial of service (DoS)." ], "statement" : "This vulnerability requires elevated privileges (`CAP_NET_ADMIN`) to exploit, since it can only be triggered if the system is configured to accept and forward VXLAN packets.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2026-02-11T00:00:00Z", "advisory" : "RHSA-2026:2573", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0", "package" : "kernel-0:5.14.0-70.165.1.el9_0" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2026-02-11T00:00:00Z", "advisory" : "RHSA-2026:2577", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0::nfv", "package" : "kernel-rt-0:5.14.0-70.165.1.rt21.237.el9_0" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2026-02-25T00:00:00Z", "advisory" : "RHSA-2026:3267", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2", "package" : "kernel-0:5.14.0-284.158.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2026-02-25T00:00:00Z", "advisory" : "RHSA-2026:3358", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2::nfv", "package" : "kernel-rt-0:5.14.0-284.158.1.rt14.443.el9_2" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53192\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53192\nhttps://lore.kernel.org/linux-cve-announce/2025091558-CVE-2023-53192-5ca6@gregkh/T" ], "name" : "CVE-2023-53192", "csaw" : false }