{ "threat_severity" : "Moderate", "public_date" : "2025-10-22T00:00:00Z", "bugzilla" : { "description" : "kernel: xsk: fix refcount underflow in error path", "id" : "2405730", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2405730" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-911", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nxsk: fix refcount underflow in error path\nFix a refcount underflow problem reported by syzbot that can happen\nwhen a system is running out of memory. If xp_alloc_tx_descs() fails,\nand it can only fail due to not having enough memory, then the error\npath is triggered. In this error path, the refcount of the pool is\ndecremented as it has incremented before. However, the reference to\nthe pool in the socket was not nulled. This means that when the socket\nis closed later, the socket teardown logic will think that there is a\npool attached to the socket and try to decrease the refcount again,\nleading to a refcount underflow.\nI chose this fix as it involved adding just a single line. Another\noption would have been to move xp_get_pool() and the assignment of\nxs->pool to after the if-statement and using xs_umem->pool instead of\nxs->pool in the whole if-statement resulting in somewhat simpler code,\nbut this would have led to much more churn in the code base perhaps\nmaking it harder to backport." ], "statement" : "In xsk_bind(), if xp_alloc_tx_descs() fails (OOM), the error path decremented the pool’s refcount via xp_put_pool(xs->pool) but did not null out xs->pool. On socket teardown, the code would attempt another put, causing a refcount underflow and potential kernel BUG or use-after-free. The fix sets xs->pool = NULL after the first put, preventing the double decrement. Practical triggering typically requires privileged ability to create/bind AF_XDP sockets and induce low-memory conditions.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-05-22T00:00:00Z", "advisory" : "RHSA-2024:3138", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.el8_10" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53698\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53698\nhttps://lore.kernel.org/linux-cve-announce/2025102211-CVE-2023-53698-c1f4@gregkh/T" ], "name" : "CVE-2023-53698", "csaw" : false }