{ "threat_severity" : "Moderate", "public_date" : "2025-10-04T00:00:00Z", "bugzilla" : { "description" : "kernel: Linux kernel iavf driver: Denial of Service via use-after-free vulnerability", "id" : "2401478", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2401478" }, "cvss3" : { "cvss3_base_score" : "6.6", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H", "status" : "verified" }, "cwe" : "CWE-664", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\niavf: Fix use-after-free in free_netdev\nWe do netif_napi_add() for all allocated q_vectors[], but potentially\ndo netif_napi_del() for part of them, then kfree q_vectors and leave\ninvalid pointers at dev->napi_list.\nReproducer:\n[root@host ~]# cat repro.sh\n#!/bin/bash\npf_dbsf=\"0000:41:00.0\"\nvf0_dbsf=\"0000:41:02.0\"\ng_pids=()\nfunction do_set_numvf()\n{\necho 2 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs\nsleep $((RANDOM%3+1))\necho 0 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs\nsleep $((RANDOM%3+1))\n}\nfunction do_set_channel()\n{\nlocal nic=$(ls -1 --indicator-style=none /sys/bus/pci/devices/${vf0_dbsf}/net/)\n[ -z \"$nic\" ] && { sleep $((RANDOM%3)) ; return 1; }\nifconfig $nic 192.168.18.5 netmask 255.255.255.0\nifconfig $nic up\nethtool -L $nic combined 1\nethtool -L $nic combined 4\nsleep $((RANDOM%3))\n}\nfunction on_exit()\n{\nlocal pid\nfor pid in \"${g_pids[@]}\"; do\nkill -0 \"$pid\" &>/dev/null && kill \"$pid\" &>/dev/null\ndone\ng_pids=()\n}\ntrap \"on_exit; exit\" EXIT\nwhile :; do do_set_numvf ; done &\ng_pids+=($!)\nwhile :; do do_set_channel ; done &\ng_pids+=($!)\nwait\nResult:\n[ 4093.900222] ==================================================================\n[ 4093.900230] BUG: KASAN: use-after-free in free_netdev+0x308/0x390\n[ 4093.900232] Read of size 8 at addr ffff88b4dc145640 by task repro.sh/6699\n[ 4093.900233]\n[ 4093.900236] CPU: 10 PID: 6699 Comm: repro.sh Kdump: loaded Tainted: G O --------- -t - 4.18.0 #1\n[ 4093.900238] Hardware name: Powerleader PR2008AL/H12DSi-N6, BIOS 2.0 04/09/2021\n[ 4093.900239] Call Trace:\n[ 4093.900244] dump_stack+0x71/0xab\n[ 4093.900249] print_address_description+0x6b/0x290\n[ 4093.900251] ? free_netdev+0x308/0x390\n[ 4093.900252] kasan_report+0x14a/0x2b0\n[ 4093.900254] free_netdev+0x308/0x390\n[ 4093.900261] iavf_remove+0x825/0xd20 [iavf]\n[ 4093.900265] pci_device_remove+0xa8/0x1f0\n[ 4093.900268] device_release_driver_internal+0x1c6/0x460\n[ 4093.900271] pci_stop_bus_device+0x101/0x150\n[ 4093.900273] pci_stop_and_remove_bus_device+0xe/0x20\n[ 4093.900275] pci_iov_remove_virtfn+0x187/0x420\n[ 4093.900277] ? pci_iov_add_virtfn+0xe10/0xe10\n[ 4093.900278] ? pci_get_subsys+0x90/0x90\n[ 4093.900280] sriov_disable+0xed/0x3e0\n[ 4093.900282] ? bus_find_device+0x12d/0x1a0\n[ 4093.900290] i40e_free_vfs+0x754/0x1210 [i40e]\n[ 4093.900298] ? i40e_reset_all_vfs+0x880/0x880 [i40e]\n[ 4093.900299] ? pci_get_device+0x7c/0x90\n[ 4093.900300] ? pci_get_subsys+0x90/0x90\n[ 4093.900306] ? pci_vfs_assigned.part.7+0x144/0x210\n[ 4093.900309] ? __mutex_lock_slowpath+0x10/0x10\n[ 4093.900315] i40e_pci_sriov_configure+0x1fa/0x2e0 [i40e]\n[ 4093.900318] sriov_numvfs_store+0x214/0x290\n[ 4093.900320] ? sriov_totalvfs_show+0x30/0x30\n[ 4093.900321] ? __mutex_lock_slowpath+0x10/0x10\n[ 4093.900323] ? __check_object_size+0x15a/0x350\n[ 4093.900326] kernfs_fop_write+0x280/0x3f0\n[ 4093.900329] vfs_write+0x145/0x440\n[ 4093.900330] ksys_write+0xab/0x160\n[ 4093.900332] ? __ia32_sys_read+0xb0/0xb0\n[ 4093.900334] ? fput_many+0x1a/0x120\n[ 4093.900335] ? filp_close+0xf0/0x130\n[ 4093.900338] do_syscall_64+0xa0/0x370\n[ 4093.900339] ? page_fault+0x8/0x30\n[ 4093.900341] entry_SYSCALL_64_after_hwframe+0x65/0xca\n[ 4093.900357] RIP: 0033:0x7f16ad4d22c0\n[ 4093.900359] Code: 73 01 c3 48 8b 0d d8 cb 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 24 2d 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 fe dd 01 00 48 89 04 24\n[ 4093.900360] RSP: 002b:00007ffd6491b7f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n[ 4093.900362] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f16ad4d22c0\n[ 4093.900363] RDX: 0000000000000002 RSI: 0000000001a41408 RDI: 0000000000000001\n[ 4093.900364] RBP: 0000000001a41408 R08: 00007f16ad7a1780 R09: 00007f16ae1f2700\n[ 4093.9003\n---truncated---", "A flaw was found in the Linux kernel's iavf driver. A local user with administrative capabilities can exploit a use-after-free vulnerability, caused by a mismatch in network interface (NAPI) list management functions. This can lead to dangling NAPI entries, resulting in a kernel crash and a Denial of Service (DoS)." ], "statement" : "A use-after-free in the Intel iavf driver could be triggered by a mismatch between netif_napi_add() and netif_napi_del(), leaving dangling NAPI entries and crashing in free_netdev(). Exploitation requires local administrative capabilities (SR-IOV toggling and channel reconfiguration), so the practical impact is mostly a kernel DoS rather than privilege escalation. For the CVSS the PR:H — because changing sriov_numvfs (PF) and ethtool -L (VF) requires CAP_SYS_ADMIN/CAP_NET_ADMIN.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2023-11-14T00:00:00Z", "advisory" : "RHSA-2023:7077", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-513.5.1.el8_9" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date" : "2023-10-10T00:00:00Z", "advisory" : "RHSA-2023:5627", "cpe" : "cpe:/o:redhat:rhel_eus:8.6", "package" : "kernel-0:4.18.0-372.75.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-09-12T00:00:00Z", "advisory" : "RHSA-2023:5069", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-284.30.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-09-12T00:00:00Z", "advisory" : "RHSA-2023:5069", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-284.30.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" }, { "product_name" : "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8", "release_date" : "2023-10-10T00:00:00Z", "advisory" : "RHSA-2023:5627", "cpe" : "cpe:/o:redhat:rhev_hypervisor:4.4::el8", "package" : "kernel-0:4.18.0-372.75.1.el8_6" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53556\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53556\nhttps://lore.kernel.org/linux-cve-announce/2025100448-CVE-2023-53556-db4c@gregkh/T" ], "name" : "CVE-2023-53556", "csaw" : false }