{
  "threat_severity" : "Moderate",
  "public_date" : "2025-12-30T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: net/sched: flower: fix filter idr initialization",
    "id" : "2426193",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2426193"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.7",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-368",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet/sched: flower: fix filter idr initialization\nThe cited commit moved idr initialization too early in fl_change() which\nallows concurrent users to access the filter that is still being\ninitialized and is in inconsistent state, which, in turn, can cause NULL\npointer dereference [0]. Since there is no obvious way to fix the ordering\nwithout reverting the whole cited commit, alternative approach taken to\nfirst insert NULL pointer into idr in order to allocate the handle but\nstill cause fl_get() to return NULL and prevent concurrent users from\nseeing the filter while providing miss-to-action infrastructure with valid\nhandle id early in fl_change().\n[  152.434728] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN\n[  152.436163] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n[  152.437269] CPU: 4 PID: 3877 Comm: tc Not tainted 6.3.0-rc4+ #5\n[  152.438110] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[  152.439644] RIP: 0010:fl_dump_key+0x8b/0x1d10 [cls_flower]\n[  152.440461] Code: 01 f2 02 f2 c7 40 08 04 f2 04 f2 c7 40 0c 04 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 84 24 00 01 00 00 48 89 c8 48 c1 e8 03 <0f> b6 04 10 84 c0 74 08 3c 03 0f 8e 98 19 00 00 8b 13 85 d2 74 57\n[  152.442885] RSP: 0018:ffff88817a28f158 EFLAGS: 00010246\n[  152.443851] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n[  152.444826] RDX: dffffc0000000000 RSI: ffffffff8500ae80 RDI: ffff88810a987900\n[  152.445791] RBP: ffff888179d88240 R08: ffff888179d8845c R09: ffff888179d88240\n[  152.446780] R10: ffffed102f451e48 R11: 00000000fffffff2 R12: ffff88810a987900\n[  152.447741] R13: ffffffff8500ae80 R14: ffff88810a987900 R15: ffff888149b3c738\n[  152.448756] FS:  00007f5eb2a34800(0000) GS:ffff88881ec00000(0000) knlGS:0000000000000000\n[  152.449888] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  152.450685] CR2: 000000000046ad19 CR3: 000000010b0bd006 CR4: 0000000000370ea0\n[  152.451641] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[  152.452628] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[  152.453588] Call Trace:\n[  152.454032]  <TASK>\n[  152.454447]  ? netlink_sendmsg+0x7a1/0xcb0\n[  152.455109]  ? sock_sendmsg+0xc5/0x190\n[  152.455689]  ? ____sys_sendmsg+0x535/0x6b0\n[  152.456320]  ? ___sys_sendmsg+0xeb/0x170\n[  152.456916]  ? do_syscall_64+0x3d/0x90\n[  152.457529]  ? entry_SYSCALL_64_after_hwframe+0x46/0xb0\n[  152.458321]  ? ___sys_sendmsg+0xeb/0x170\n[  152.458958]  ? __sys_sendmsg+0xb5/0x140\n[  152.459564]  ? do_syscall_64+0x3d/0x90\n[  152.460122]  ? entry_SYSCALL_64_after_hwframe+0x46/0xb0\n[  152.460852]  ? fl_dump_key_options.part.0+0xea0/0xea0 [cls_flower]\n[  152.461710]  ? _raw_spin_lock+0x7a/0xd0\n[  152.462299]  ? _raw_read_lock_irq+0x30/0x30\n[  152.462924]  ? nla_put+0x15e/0x1c0\n[  152.463480]  fl_dump+0x228/0x650 [cls_flower]\n[  152.464112]  ? fl_tmplt_dump+0x210/0x210 [cls_flower]\n[  152.464854]  ? __kmem_cache_alloc_node+0x1a7/0x330\n[  152.465592]  ? nla_put+0x15e/0x1c0\n[  152.466160]  tcf_fill_node+0x515/0x9a0\n[  152.466766]  ? tc_setup_offload_action+0xf0/0xf0\n[  152.467463]  ? __alloc_skb+0x13c/0x2a0\n[  152.468067]  ? __build_skb_around+0x330/0x330\n[  152.468814]  ? fl_get+0x107/0x1a0 [cls_flower]\n[  152.469503]  tc_del_tfilter+0x718/0x1330\n[  152.470115]  ? is_bpf_text_address+0xa/0x20\n[  152.470765]  ? tc_ctl_chain+0xee0/0xee0\n[  152.471335]  ? __kernel_text_address+0xe/0x30\n[  152.471948]  ? unwind_get_return_address+0x56/0xa0\n[  152.472639]  ? __thaw_task+0x150/0x150\n[  152.473218]  ? arch_stack_walk+0x98/0xf0\n[  152.473839]  ? __stack_depot_save+0x35/0x4c0\n[  152.474501]  ? stack_trace_save+0x91/0xc0\n[  152.475119]  ? security_capable+0x51/0x90\n[  152.475741]  rtnetlink_rcv_msg+0x2c1/0x9d0\n[  152.476387]  ? rtnl_calcit.isra.0+0x2b0/0x2b0\n[  152.477042]\n---truncated---", "A flaw was found in the Linux kernel’s networking traffic control flower classifier. The initialization of the filter IDR was moved too early in the fl_change() path, allowing concurrent access by multiple users while the structure was still in an inconsistent state. Under certain conditions, this race condition can lead to unexpected behavior including a NULL pointer dereference and kernel crash" ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-11-14T00:00:00Z",
    "advisory" : "RHSA-2023:7077",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-513.5.1.el8_9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-54206\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-54206\nhttps://lore.kernel.org/linux-cve-announce/2025123022-CVE-2023-54206-1057@gregkh/T" ],
  "name" : "CVE-2023-54206",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}