{
  "threat_severity" : "Moderate",
  "public_date" : "2025-10-07T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: tcp: fix skb_copy_ubufs() vs BIG TCP",
    "id" : "2402224",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2402224"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-131",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ntcp: fix skb_copy_ubufs() vs BIG TCP\nDavid Ahern reported crashes in skb_copy_ubufs() caused by TCP tx zerocopy\nusing hugepages, and skb length bigger than ~68 KB.\nskb_copy_ubufs() assumed it could copy all payload using up to\nMAX_SKB_FRAGS order-0 pages.\nThis assumption broke when BIG TCP was able to put up to 512 KB per skb.\nWe did not hit this bug at Google because we use CONFIG_MAX_SKB_FRAGS=45\nand limit gso_max_size to 180000.\nA solution is to use higher order pages if needed.\nv2: add missing __GFP_COMP, or we leak memory." ],
  "statement" : "The bug could happen in skb_copy_ubufs() when BIG TCP allows very large skbs (e.g., ~512 KB) and TCP TX zerocopy with hugepages is used. Leads to Kernel Panic under specific, non-default conditions: BIG TCP/gso_max_size configured large, zerocopy transmit enabled, and traffic producing >64 KB skbs. The impact level likely only DOS, but theoretically could be used for privileges escalation, so for the CVSS keeping higher range value CIA:LLH.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53669\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53669\nhttps://lore.kernel.org/linux-cve-announce/2025100705-CVE-2023-53669-f81f@gregkh/T" ],
  "name" : "CVE-2023-53669",
  "csaw" : false
}