{
  "threat_severity" : "Moderate",
  "public_date" : "2025-09-15T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: raw: Fix NULL deref in raw_get_next()",
    "id" : "2395229",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2395229"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-476",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nraw: Fix NULL deref in raw_get_next().\nDae R. Jeong reported a NULL deref in raw_get_next() [0].\nIt seems that the repro was running these sequences in parallel so\nthat one thread was iterating on a socket that was being freed in\nanother netns.\nunshare(0x40060200)\nr0 = syz_open_procfs(0x0, &(0x7f0000002080)='net/raw\\x00')\nsocket$inet_icmp_raw(0x2, 0x3, 0x1)\npread64(r0, &(0x7f0000000000)=\"\"/10, 0xa, 0x10000000007f)\nAfter commit 0daf07e52709 (\"raw: convert raw sockets to RCU\"), we\nuse RCU and hlist_nulls_for_each_entry() to iterate over SOCK_RAW\nsockets.  However, we should use spinlock for slow paths to avoid\nthe NULL deref.\nAlso, SOCK_RAW does not use SLAB_TYPESAFE_BY_RCU, and the slab object\nis not reused during iteration in the grace period.  In fact, the\nlockless readers do not check the nulls marker with get_nulls_value().\nSo, SOCK_RAW should use hlist instead of hlist_nulls.\nInstead of adding an unnecessary barrier by sk_nulls_for_each_rcu(),\nlet's convert hlist_nulls to hlist and use sk_for_each_rcu() for\nfast paths and sk_for_each() and spinlock for /proc/net/raw.\n[0]:\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]\nCPU: 2 PID: 20952 Comm: syz-executor.0 Not tainted 6.2.0-g048ec869bafd-dirty #7\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\nRIP: 0010:read_pnet include/net/net_namespace.h:383 [inline]\nRIP: 0010:sock_net include/net/sock.h:649 [inline]\nRIP: 0010:raw_get_next net/ipv4/raw.c:974 [inline]\nRIP: 0010:raw_get_idx net/ipv4/raw.c:986 [inline]\nRIP: 0010:raw_seq_start+0x431/0x800 net/ipv4/raw.c:995\nCode: ef e8 33 3d 94 f7 49 8b 6d 00 4c 89 ef e8 b7 65 5f f7 49 89 ed 49 83 c5 98 0f 84 9a 00 00 00 48 83 c5 c8 48 89 e8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 ef e8 00 3d 94 f7 4c 8b 7d 00 48 89 ef\nRSP: 0018:ffffc9001154f9b0 EFLAGS: 00010206\nRAX: 0000000000000005 RBX: 1ffff1100302c8fd RCX: 0000000000000000\nRDX: 0000000000000028 RSI: ffffc9001154f988 RDI: ffffc9000f77a338\nRBP: 0000000000000029 R08: ffffffff8a50ffb4 R09: fffffbfff24b6bd9\nR10: fffffbfff24b6bd9 R11: 0000000000000000 R12: ffff88801db73b78\nR13: fffffffffffffff9 R14: dffffc0000000000 R15: 0000000000000030\nFS:  00007f843ae8e700(0000) GS:ffff888063700000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055bb9614b35f CR3: 000000003c672000 CR4: 00000000003506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n<TASK>\nseq_read_iter+0x4c6/0x10f0 fs/seq_file.c:225\nseq_read+0x224/0x320 fs/seq_file.c:162\npde_read fs/proc/inode.c:316 [inline]\nproc_reg_read+0x23f/0x330 fs/proc/inode.c:328\nvfs_read+0x31e/0xd30 fs/read_write.c:468\nksys_pread64 fs/read_write.c:665 [inline]\n__do_sys_pread64 fs/read_write.c:675 [inline]\n__se_sys_pread64 fs/read_write.c:672 [inline]\n__x64_sys_pread64+0x1e9/0x280 fs/read_write.c:672\ndo_syscall_x64 arch/x86/entry/common.c:51 [inline]\ndo_syscall_64+0x4e/0xa0 arch/x86/entry/common.c:82\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x478d29\nCode: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f843ae8dbe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000011\nRAX: ffffffffffffffda RBX: 0000000000791408 RCX: 0000000000478d29\nRDX: 000000000000000a RSI: 0000000020000000 RDI: 0000000000000003\nRBP: 00000000f477909a R08: 0000000000000000 R09: 0000000000000000\nR10: 000010000000007f R11: 0000000000000246 R12: 0000000000791740\nR13: 0000000000791414 R14: 0000000000791408 R15: 00007ffc2eb48a50\n</TASK>\nModules linked in:\n---[ end trace 0000000000000000 ]---\nRIP: 0010\n---truncated---" ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53198\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53198\nhttps://lore.kernel.org/linux-cve-announce/2025091559-CVE-2023-53198-094a@gregkh/T" ],
  "name" : "CVE-2023-53198",
  "csaw" : false
}