{ "threat_severity" : "Moderate", "public_date" : "2025-10-01T00:00:00Z", "bugzilla" : { "description" : "kernel: ipv6: Add lwtunnel encap size of all siblings in nexthop calculation", "id" : "2400802", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2400802" }, "cvss3" : { "cvss3_base_score" : "6.0", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-131", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nipv6: Add lwtunnel encap size of all siblings in nexthop calculation\nIn function rt6_nlmsg_size(), the length of nexthop is calculated\nby multipling the nexthop length of fib6_info and the number of\nsiblings. However if the fib6_info has no lwtunnel but the siblings\nhave lwtunnels, the nexthop length is less than it should be, and\nit will trigger a warning in inet6_rt_notify() as follows:\nWARNING: CPU: 0 PID: 6082 at net/ipv6/route.c:6180 inet6_rt_notify+0x120/0x130\n......\nCall Trace:\n\nfib6_add_rt2node+0x685/0xa30\nfib6_add+0x96/0x1b0\nip6_route_add+0x50/0xd0\ninet6_rtm_newroute+0x97/0xa0\nrtnetlink_rcv_msg+0x156/0x3d0\nnetlink_rcv_skb+0x5a/0x110\nnetlink_unicast+0x246/0x350\nnetlink_sendmsg+0x250/0x4c0\nsock_sendmsg+0x66/0x70\n___sys_sendmsg+0x7c/0xd0\n__sys_sendmsg+0x5d/0xb0\ndo_syscall_64+0x3f/0x90\nentry_SYSCALL_64_after_hwframe+0x72/0xdc\nThis bug can be reproduced by script:\nip -6 addr add 2002::2/64 dev ens2\nip -6 route add 100::/64 via 2002::1 dev ens2 metric 100\nfor i in 10 20 30 40 50 60 70;\ndo\nip link add link ens2 name ipv_$i type ipvlan\nip -6 addr add 2002::$i/64 dev ipv_$i\nifconfig ipv_$i up\ndone\nfor i in 10 20 30 40 50 60;\ndo\nip -6 route append 100::/64 encap ip6 dst 2002::$i via 2002::1\ndev ipv_$i metric 100\ndone\nip -6 route append 100::/64 via 2002::1 dev ipv_70 metric 100\nThis patch fixes it by adding nexthop_len of every siblings using\nrt6_nh_nlmsg_size()." ], "statement" : "This vulnerability can only be triggered by a user with elevated privileges (`CAP_NET_ADMIN`), as it requires modifying kernel routing tables via netlink.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53477\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53477\nhttps://lore.kernel.org/linux-cve-announce/2025100111-CVE-2023-53477-93d5@gregkh/T" ], "name" : "CVE-2023-53477", "csaw" : false }