{
  "threat_severity" : "Moderate",
  "public_date" : "2025-12-30T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: net/sched: taprio: Limit TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME to INT_MAX",
    "id" : "2426020",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2426020"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.6",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-190",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet/sched: taprio: Limit TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME to INT_MAX.\nsyzkaller found zero division error [0] in div_s64_rem() called from\nget_cycle_time_elapsed(), where sched->cycle_time is the divisor.\nWe have tests in parse_taprio_schedule() so that cycle_time will never\nbe 0, and actually cycle_time is not 0 in get_cycle_time_elapsed().\nThe problem is that the types of divisor are different; cycle_time is\ns64, but the argument of div_s64_rem() is s32.\nsyzkaller fed this input and 0x100000000 is cast to s32 to be 0.\n@TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME={0xc, 0x8, 0x100000000}\nWe use s64 for cycle_time to cast it to ktime_t, so let's keep it and\nset max for cycle_time.\nWhile at it, we prevent overflow in setup_txtime() and add another\ntest in parse_taprio_schedule() to check if cycle_time overflows.\nAlso, we add a new tdc test case for this issue.\n[0]:\ndivide error: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 1 PID: 103 Comm: kworker/1:3 Not tainted 6.5.0-rc1-00330-g60cc1f7d0605 #3\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nWorkqueue: ipv6_addrconf addrconf_dad_work\nRIP: 0010:div_s64_rem include/linux/math64.h:42 [inline]\nRIP: 0010:get_cycle_time_elapsed net/sched/sch_taprio.c:223 [inline]\nRIP: 0010:find_entry_to_transmit+0x252/0x7e0 net/sched/sch_taprio.c:344\nCode: 3c 02 00 0f 85 5e 05 00 00 48 8b 4c 24 08 4d 8b bd 40 01 00 00 48 8b 7c 24 48 48 89 c8 4c 29 f8 48 63 f7 48 99 48 89 74 24 70 <48> f7 fe 48 29 d1 48 8d 04 0f 49 89 cc 48 89 44 24 20 49 8d 85 10\nRSP: 0018:ffffc90000acf260 EFLAGS: 00010206\nRAX: 177450e0347560cf RBX: 0000000000000000 RCX: 177450e0347560cf\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000100000000\nRBP: 0000000000000056 R08: 0000000000000000 R09: ffffed10020a0934\nR10: ffff8880105049a7 R11: ffff88806cf3a520 R12: ffff888010504800\nR13: ffff88800c00d800 R14: ffff8880105049a0 R15: 0000000000000000\nFS:  0000000000000000(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f0edf84f0e8 CR3: 000000000d73c002 CR4: 0000000000770ee0\nPKRU: 55555554\nCall Trace:\n<TASK>\nget_packet_txtime net/sched/sch_taprio.c:508 [inline]\ntaprio_enqueue_one+0x900/0xff0 net/sched/sch_taprio.c:577\ntaprio_enqueue+0x378/0xae0 net/sched/sch_taprio.c:658\ndev_qdisc_enqueue+0x46/0x170 net/core/dev.c:3732\n__dev_xmit_skb net/core/dev.c:3821 [inline]\n__dev_queue_xmit+0x1b2f/0x3000 net/core/dev.c:4169\ndev_queue_xmit include/linux/netdevice.h:3088 [inline]\nneigh_resolve_output net/core/neighbour.c:1552 [inline]\nneigh_resolve_output+0x4a7/0x780 net/core/neighbour.c:1532\nneigh_output include/net/neighbour.h:544 [inline]\nip6_finish_output2+0x924/0x17d0 net/ipv6/ip6_output.c:135\n__ip6_finish_output+0x620/0xaa0 net/ipv6/ip6_output.c:196\nip6_finish_output net/ipv6/ip6_output.c:207 [inline]\nNF_HOOK_COND include/linux/netfilter.h:292 [inline]\nip6_output+0x206/0x410 net/ipv6/ip6_output.c:228\ndst_output include/net/dst.h:458 [inline]\nNF_HOOK.constprop.0+0xea/0x260 include/linux/netfilter.h:303\nndisc_send_skb+0x872/0xe80 net/ipv6/ndisc.c:508\nndisc_send_ns+0xb5/0x130 net/ipv6/ndisc.c:666\naddrconf_dad_work+0xc14/0x13f0 net/ipv6/addrconf.c:4175\nprocess_one_work+0x92c/0x13a0 kernel/workqueue.c:2597\nworker_thread+0x60f/0x1240 kernel/workqueue.c:2748\nkthread+0x2fe/0x3f0 kernel/kthread.c:389\nret_from_fork+0x2c/0x50 arch/x86/entry/entry_64.S:308\n</TASK>\nModules linked in:", "A flaw was addressed in the Linux kernel’s traffic scheduling (TAPRIO) subsystem. The code that handles the TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME attribute did not enforce an upper bound on this value, which could allow excessively large cycle time inputs to be processed. Under certain conditions, this can lead to an integer overflow or wraparound in the scheduling logic. As a result, the kernel may behave unexpectedly and could be made to crash, resulting in a denial of service condition on affected systems." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2394",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.13.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2394",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.13.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support",
    "release_date" : "2024-10-16T00:00:00Z",
    "advisory" : "RHSA-2024:8157",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.2",
    "package" : "kernel-0:5.14.0-284.88.1.el9_2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-54251\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-54251\nhttps://lore.kernel.org/linux-cve-announce/2025123054-CVE-2023-54251-2a3b@gregkh/T" ],
  "name" : "CVE-2023-54251",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}