{
  "threat_severity" : "Moderate",
  "public_date" : "2025-12-09T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: ip6_vti: fix slab-use-after-free in decode_session6",
    "id" : "2420329",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2420329"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-825",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nip6_vti: fix slab-use-after-free in decode_session6\nWhen ipv6_vti device is set to the qdisc of the sfb type, the cb field\nof the sent skb may be modified during enqueuing. Then,\nslab-use-after-free may occur when ipv6_vti device sends IPv6 packets.\nThe stack information is as follows:\nBUG: KASAN: slab-use-after-free in decode_session6+0x103f/0x1890\nRead of size 1 at addr ffff88802e08edc2 by task swapper/0/0\nCPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.4.0-next-20230707-00001-g84e2cad7f979 #410\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014\nCall Trace:\n<IRQ>\ndump_stack_lvl+0xd9/0x150\nprint_address_description.constprop.0+0x2c/0x3c0\nkasan_report+0x11d/0x130\ndecode_session6+0x103f/0x1890\n__xfrm_decode_session+0x54/0xb0\nvti6_tnl_xmit+0x3e6/0x1ee0\ndev_hard_start_xmit+0x187/0x700\nsch_direct_xmit+0x1a3/0xc30\n__qdisc_run+0x510/0x17a0\n__dev_queue_xmit+0x2215/0x3b10\nneigh_connected_output+0x3c2/0x550\nip6_finish_output2+0x55a/0x1550\nip6_finish_output+0x6b9/0x1270\nip6_output+0x1f1/0x540\nndisc_send_skb+0xa63/0x1890\nndisc_send_rs+0x132/0x6f0\naddrconf_rs_timer+0x3f1/0x870\ncall_timer_fn+0x1a0/0x580\nexpire_timers+0x29b/0x4b0\nrun_timer_softirq+0x326/0x910\n__do_softirq+0x1d4/0x905\nirq_exit_rcu+0xb7/0x120\nsysvec_apic_timer_interrupt+0x97/0xc0\n</IRQ>\nAllocated by task 9176:\nkasan_save_stack+0x22/0x40\nkasan_set_track+0x25/0x30\n__kasan_slab_alloc+0x7f/0x90\nkmem_cache_alloc_node+0x1cd/0x410\nkmalloc_reserve+0x165/0x270\n__alloc_skb+0x129/0x330\nnetlink_sendmsg+0x9b1/0xe30\nsock_sendmsg+0xde/0x190\n____sys_sendmsg+0x739/0x920\n___sys_sendmsg+0x110/0x1b0\n__sys_sendmsg+0xf7/0x1c0\ndo_syscall_64+0x39/0xb0\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\nFreed by task 9176:\nkasan_save_stack+0x22/0x40\nkasan_set_track+0x25/0x30\nkasan_save_free_info+0x2b/0x40\n____kasan_slab_free+0x160/0x1c0\nslab_free_freelist_hook+0x11b/0x220\nkmem_cache_free+0xf0/0x490\nskb_free_head+0x17f/0x1b0\nskb_release_data+0x59c/0x850\nconsume_skb+0xd2/0x170\nnetlink_unicast+0x54f/0x7f0\nnetlink_sendmsg+0x926/0xe30\nsock_sendmsg+0xde/0x190\n____sys_sendmsg+0x739/0x920\n___sys_sendmsg+0x110/0x1b0\n__sys_sendmsg+0xf7/0x1c0\ndo_syscall_64+0x39/0xb0\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\nThe buggy address belongs to the object at ffff88802e08ed00\nwhich belongs to the cache skbuff_small_head of size 640\nThe buggy address is located 194 bytes inside of\nfreed 640-byte region [ffff88802e08ed00, ffff88802e08ef80)\nAs commit f855691975bb (\"xfrm6: Fix the nexthdr offset in\n_decode_session6.\") showed, xfrm_decode_session was originally intended\nonly for the receive path. IP6CB(skb)->nhoff is not set during\ntransmission. Therefore, set the cb field in the skb to 0 before\nsending packets.", "A use-after-free vulnerability was found in the IPv6 VTI (Virtual Tunnel Interface) implementation in the Linux kernel. When an IPv6 VTI device uses the SFB (Stochastic Fair Blue) qdisc, the control block (cb) field of an skb can be modified during packet enqueuing. The decode_session6() function then reads from this modified cb field, accessing freed memory (IP6CB(skb)->nhoff was not set for transmit path). This can lead to kernel crashes or potentially arbitrary code execution." ],
  "statement" : "This is a use-after-free vulnerability in IPv6 VTI tunnel handling that can be triggered when specific qdisc configurations are used. The vulnerability requires local access and specific network configuration involving VTI tunnels with SFB qdisc.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-05-22T00:00:00Z",
    "advisory" : "RHSA-2024:3138",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support",
    "release_date" : "2026-02-26T00:00:00Z",
    "advisory" : "RHSA-2026:3388",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.2",
    "package" : "kernel-0:4.18.0-193.187.1.el8_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
    "release_date" : "2026-02-25T00:00:00Z",
    "advisory" : "RHSA-2026:3360",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.4",
    "package" : "kernel-0:4.18.0-305.186.1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On",
    "release_date" : "2026-02-25T00:00:00Z",
    "advisory" : "RHSA-2026:3360",
    "cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.4",
    "package" : "kernel-0:4.18.0-305.186.1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
    "release_date" : "2026-02-25T00:00:00Z",
    "advisory" : "RHSA-2026:3268",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.6",
    "package" : "kernel-0:4.18.0-372.181.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
    "release_date" : "2026-02-25T00:00:00Z",
    "advisory" : "RHSA-2026:3268",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.6",
    "package" : "kernel-0:4.18.0-372.181.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
    "release_date" : "2026-02-25T00:00:00Z",
    "advisory" : "RHSA-2026:3268",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.6",
    "package" : "kernel-0:4.18.0-372.181.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service",
    "release_date" : "2026-02-25T00:00:00Z",
    "advisory" : "RHSA-2026:3277",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.8",
    "package" : "kernel-0:4.18.0-477.130.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
    "release_date" : "2026-02-25T00:00:00Z",
    "advisory" : "RHSA-2026:3277",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.8",
    "package" : "kernel-0:4.18.0-477.130.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2394",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.13.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2394",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.13.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2026-02-25T00:00:00Z",
    "advisory" : "RHSA-2026:3293",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0",
    "package" : "kernel-0:5.14.0-70.167.1.el9_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2026-02-25T00:00:00Z",
    "advisory" : "RHSA-2026:3375",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0::nfv",
    "package" : "kernel-rt-0:5.14.0-70.167.1.rt21.239.el9_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2026-02-25T00:00:00Z",
    "advisory" : "RHSA-2026:3267",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2",
    "package" : "kernel-0:5.14.0-284.158.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2026-02-25T00:00:00Z",
    "advisory" : "RHSA-2026:3358",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2::nfv",
    "package" : "kernel-rt-0:5.14.0-284.158.1.rt14.443.el9_2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53821\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53821\nhttps://lore.kernel.org/linux-cve-announce/2025120950-CVE-2023-53821-9542@gregkh/T" ],
  "name" : "CVE-2023-53821",
  "csaw" : false
}