{
  "threat_severity" : "Moderate",
  "public_date" : "2025-09-17T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: icmp6: Fix null-ptr-deref of ip6_null_entry->rt6i_idev in icmp6_dev()",
    "id" : "2396136",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2396136"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-476",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nicmp6: Fix null-ptr-deref of ip6_null_entry->rt6i_idev in icmp6_dev().\nWith some IPv6 Ext Hdr (RPL, SRv6, etc.), we can send a packet that\nhas the link-local address as src and dst IP and will be forwarded to\nan external IP in the IPv6 Ext Hdr.\nFor example, the script below generates a packet whose src IP is the\nlink-local address and dst is updated to 11::.\n# for f in $(find /proc/sys/net/ -name *seg6_enabled*); do echo 1 > $f; done\n# python3\n>>> from socket import *\n>>> from scapy.all import *\n>>>\n>>> SRC_ADDR = DST_ADDR = \"fe80::5054:ff:fe12:3456\"\n>>>\n>>> pkt = IPv6(src=SRC_ADDR, dst=DST_ADDR)\n>>> pkt /= IPv6ExtHdrSegmentRouting(type=4, addresses=[\"11::\", \"22::\"], segleft=1)\n>>>\n>>> sk = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW)\n>>> sk.sendto(bytes(pkt), (DST_ADDR, 0))\nFor such a packet, we call ip6_route_input() to look up a route for the\nnext destination in these three functions depending on the header type.\n* ipv6_rthdr_rcv()\n* ipv6_rpl_srh_rcv()\n* ipv6_srh_rcv()\nIf no route is found, ip6_null_entry is set to skb, and the following\ndst_input(skb) calls ip6_pkt_drop().\nFinally, in icmp6_dev(), we dereference skb_rt6_info(skb)->rt6i_idev->dev\nas the input device is the loopback interface.  Then, we have to check if\nskb_rt6_info(skb)->rt6i_idev is NULL or not to avoid NULL pointer deref\nfor ip6_null_entry.\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nPF: supervisor read access in kernel mode\nPF: error_code(0x0000) - not-present page\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 0 PID: 157 Comm: python3 Not tainted 6.4.0-11996-gb121d614371c #35\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:icmp6_send (net/ipv6/icmp.c:436 net/ipv6/icmp.c:503)\nCode: fe ff ff 48 c7 40 30 c0 86 5d 83 e8 c6 44 1c 00 e9 c8 fc ff ff 49 8b 46 58 48 83 e0 fe 0f 84 4a fb ff ff 48 8b 80 d0 00 00 00 <48> 8b 00 44 8b 88 e0 00 00 00 e9 34 fb ff ff 4d 85 ed 0f 85 69 01\nRSP: 0018:ffffc90000003c70 EFLAGS: 00000286\nRAX: 0000000000000000 RBX: 0000000000000001 RCX: 00000000000000e0\nRDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff888006d72a18\nRBP: ffffc90000003d80 R08: 0000000000000000 R09: 0000000000000001\nR10: ffffc90000003d98 R11: 0000000000000040 R12: ffff888006d72a10\nR13: 0000000000000000 R14: ffff8880057fb800 R15: ffffffff835d86c0\nFS:  00007f9dc72ee740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000000 CR3: 00000000057b2000 CR4: 00000000007506f0\nPKRU: 55555554\nCall Trace:\n<IRQ>\nip6_pkt_drop (net/ipv6/route.c:4513)\nipv6_rthdr_rcv (net/ipv6/exthdrs.c:640 net/ipv6/exthdrs.c:686)\nip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:437 (discriminator 5))\nip6_input_finish (./include/linux/rcupdate.h:781 net/ipv6/ip6_input.c:483)\n__netif_receive_skb_one_core (net/core/dev.c:5455)\nprocess_backlog (./include/linux/rcupdate.h:781 net/core/dev.c:5895)\n__napi_poll (net/core/dev.c:6460)\nnet_rx_action (net/core/dev.c:6529 net/core/dev.c:6660)\n__do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554)\ndo_softirq (kernel/softirq.c:454 kernel/softirq.c:441)\n</IRQ>\n<TASK>\n__local_bh_enable_ip (kernel/softirq.c:381)\n__dev_queue_xmit (net/core/dev.c:4231)\nip6_finish_output2 (./include/net/neighbour.h:544 net/ipv6/ip6_output.c:135)\nrawv6_sendmsg (./include/net/dst.h:458 ./include/linux/netfilter.h:303 net/ipv6/raw.c:656 net/ipv6/raw.c:914)\nsock_sendmsg (net/socket.c:725 net/socket.c:748)\n__sys_sendto (net/socket.c:2134)\n__x64_sys_sendto (net/socket.c:2146 net/socket.c:2142 net/socket.c:2142)\ndo_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)\nRIP: 0033:0x7f9dc751baea\nCode: d8 64 89 02 48 c7 c0 ff f\n---truncated---" ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-05-22T00:00:00Z",
    "advisory" : "RHSA-2024:3138",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2394",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.13.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2394",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.13.1.el9_4"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53343\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53343\nhttps://lore.kernel.org/linux-cve-announce/2025091719-CVE-2023-53343-880b@gregkh/T" ],
  "name" : "CVE-2023-53343",
  "csaw" : false
}