{
  "threat_severity" : "Moderate",
  "public_date" : "2025-12-30T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: net/mlx5e: TC, Fix using eswitch mapping in nic mode",
    "id" : "2426241",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2426241"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-676",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet/mlx5e: TC, Fix using eswitch mapping in nic mode\nCited patch is using the eswitch object mapping pool while\nin nic mode where it isn't initialized. This results in the\ntrace below [0].\nFix that by using either nic or eswitch object mapping pool\ndepending if eswitch is enabled or not.\n[0]:\n[  826.446057] ==================================================================\n[  826.446729] BUG: KASAN: slab-use-after-free in mlx5_add_flow_rules+0x30/0x490 [mlx5_core]\n[  826.447515] Read of size 8 at addr ffff888194485830 by task tc/6233\n[  826.448243] CPU: 16 PID: 6233 Comm: tc Tainted: G        W          6.3.0-rc6+ #1\n[  826.448890] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[  826.449785] Call Trace:\n[  826.450052]  <TASK>\n[  826.450302]  dump_stack_lvl+0x33/0x50\n[  826.450650]  print_report+0xc2/0x610\n[  826.450998]  ? __virt_addr_valid+0xb1/0x130\n[  826.451385]  ? mlx5_add_flow_rules+0x30/0x490 [mlx5_core]\n[  826.451935]  kasan_report+0xae/0xe0\n[  826.452276]  ? mlx5_add_flow_rules+0x30/0x490 [mlx5_core]\n[  826.452829]  mlx5_add_flow_rules+0x30/0x490 [mlx5_core]\n[  826.453368]  ? __kmalloc_node+0x5a/0x120\n[  826.453733]  esw_add_restore_rule+0x20f/0x270 [mlx5_core]\n[  826.454288]  ? mlx5_eswitch_add_send_to_vport_meta_rule+0x260/0x260 [mlx5_core]\n[  826.455011]  ? mutex_unlock+0x80/0xd0\n[  826.455361]  ? __mutex_unlock_slowpath.constprop.0+0x210/0x210\n[  826.455862]  ? mapping_add+0x2cb/0x440 [mlx5_core]\n[  826.456425]  mlx5e_tc_action_miss_mapping_get+0x139/0x180 [mlx5_core]\n[  826.457058]  ? mlx5e_tc_update_skb_nic+0xb0/0xb0 [mlx5_core]\n[  826.457636]  ? __kasan_kmalloc+0x77/0x90\n[  826.458000]  ? __kmalloc+0x57/0x120\n[  826.458336]  mlx5_tc_ct_flow_offload+0x325/0xe40 [mlx5_core]\n[  826.458916]  ? ct_kernel_enter.constprop.0+0x48/0xa0\n[  826.459360]  ? mlx5_tc_ct_parse_action+0xf0/0xf0 [mlx5_core]\n[  826.459933]  ? mlx5e_mod_hdr_attach+0x491/0x520 [mlx5_core]\n[  826.460507]  ? mlx5e_mod_hdr_get+0x12/0x20 [mlx5_core]\n[  826.461046]  ? mlx5e_tc_attach_mod_hdr+0x154/0x170 [mlx5_core]\n[  826.461635]  mlx5e_configure_flower+0x969/0x2110 [mlx5_core]\n[  826.462217]  ? _raw_spin_lock_bh+0x85/0xe0\n[  826.462597]  ? __mlx5e_add_fdb_flow+0x750/0x750 [mlx5_core]\n[  826.463163]  ? kasan_save_stack+0x2e/0x40\n[  826.463534]  ? down_read+0x115/0x1b0\n[  826.463878]  ? down_write_killable+0x110/0x110\n[  826.464288]  ? tc_setup_action.part.0+0x9f/0x3b0\n[  826.464701]  ? mlx5e_is_uplink_rep+0x4c/0x90 [mlx5_core]\n[  826.465253]  ? mlx5e_tc_reoffload_flows_work+0x130/0x130 [mlx5_core]\n[  826.465878]  tc_setup_cb_add+0x112/0x250\n[  826.466247]  fl_hw_replace_filter+0x230/0x310 [cls_flower]\n[  826.466724]  ? fl_hw_destroy_filter+0x1a0/0x1a0 [cls_flower]\n[  826.467212]  fl_change+0x14e1/0x2030 [cls_flower]\n[  826.467636]  ? sock_def_readable+0x89/0x120\n[  826.468019]  ? fl_tmplt_create+0x2d0/0x2d0 [cls_flower]\n[  826.468509]  ? kasan_unpoison+0x23/0x50\n[  826.468873]  ? get_random_u16+0x180/0x180\n[  826.469244]  ? __radix_tree_lookup+0x2b/0x130\n[  826.469640]  ? fl_get+0x7b/0x140 [cls_flower]\n[  826.470042]  ? fl_mask_put+0x200/0x200 [cls_flower]\n[  826.470478]  ? __mutex_unlock_slowpath.constprop.0+0x210/0x210\n[  826.470973]  ? fl_tmplt_create+0x2d0/0x2d0 [cls_flower]\n[  826.471427]  tc_new_tfilter+0x644/0x1050\n[  826.471795]  ? tc_get_tfilter+0x860/0x860\n[  826.472170]  ? __thaw_task+0x130/0x130\n[  826.472525]  ? arch_stack_walk+0x98/0xf0\n[  826.472892]  ? cap_capable+0x9f/0xd0\n[  826.473235]  ? security_capable+0x47/0x60\n[  826.473608]  rtnetlink_rcv_msg+0x1d5/0x550\n[  826.473985]  ? rtnl_calcit.isra.0+0x1f0/0x1f0\n[  826.474383]  ? __stack_depot_save+0x35/0x4c0\n[  826.474779]  ? kasan_save_stack+0x2e/0x40\n[  826.475149]  ? kasan_save_stack+0x1e/0x40\n[  826.475518]  ? __kasan_record_aux_stack+0x9f/0xb0\n[  826.475939]  ? task_work_add+0x77/0x1c0\n[  826.476305]  netlink_rcv_skb+0xe0/0x210\n---truncated---", "A flaw was found in the Linux kernel net/mlx5e Ethernet driver’s traffic control handling code. Under certain configurations when operating in NIC mode, the driver erroneously uses the eswitch object mapping pool, which is not initialized in that mode. This can lead to an invalid mapping reference and related kernel trace conditions, potentially causing network driver instability or denial of service. An unprivileged local user with access to configure traffic control on an affected system may be able to trigger this condition" ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-11-14T00:00:00Z",
    "advisory" : "RHSA-2023:7077",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-513.5.1.el8_9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-54216\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-54216\nhttps://lore.kernel.org/linux-cve-announce/2025123025-CVE-2023-54216-93c5@gregkh/T" ],
  "name" : "CVE-2023-54216",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}