{ "threat_severity" : "Moderate", "public_date" : "2025-10-04T00:00:00Z", "bugzilla" : { "description" : "kernel: ip_vti: fix potential slab-use-after-free in decode_session6", "id" : "2401489", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2401489" }, "cvss3" : { "cvss3_base_score" : "6.7", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-825", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nip_vti: fix potential slab-use-after-free in decode_session6\nWhen ip_vti device is set to the qdisc of the sfb type, the cb field\nof the sent skb may be modified during enqueuing. Then,\nslab-use-after-free may occur when ip_vti device sends IPv6 packets.\nAs commit f855691975bb (\"xfrm6: Fix the nexthdr offset in\n_decode_session6.\") showed, xfrm_decode_session was originally intended\nonly for the receive path. IP6CB(skb)->nhoff is not set during\ntransmission. Therefore, set the cb field in the skb to 0 before\nsending packets.", "A use-after-free flaw was found in the Linux kernel's ip_vti (IPsec Virtual Tunnel Interface) implementation when transmitting IPv6 packets with the SFB qdisc attached. A local user with CAP_NET_ADMIN capability can trigger this issue by configuring an ip_vti interface with an SFB qdisc and sending IPv6 traffic, causing the socket buffer control block to be modified during packet enqueuing and subsequently accessed after potential freeing during session decoding. This results in slab use-after-free, leading to kernel panic or potential memory corruption." ], "statement" : "The ip_vti driver uses the socket buffer's control block (cb field) for internal state tracking. When the SFB (Stochastic Fair Blue) qdisc is attached to an ip_vti device, the qdisc modifies this cb field during packet enqueuing. Later, when decode_session6 is called on the transmit path, it attempts to access IP6CB(skb)->nhoff, which was designed only for the receive path and is not initialized during transmission. The modified cb field contents from the qdisc can cause the decoder to access invalid memory regions, potentially accessing already-freed slab objects.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-05-22T00:00:00Z", "advisory" : "RHSA-2024:3138", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53559\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53559\nhttps://lore.kernel.org/linux-cve-announce/2025100449-CVE-2023-53559-c2f0@gregkh/T" ], "name" : "CVE-2023-53559", "csaw" : false }