{
  "threat_severity" : "Moderate",
  "public_date" : "2025-12-30T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: net/mlx5e: Don't clone flow post action attributes second time",
    "id" : "2426037",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2426037"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet/mlx5e: Don't clone flow post action attributes second time\nThe code already clones post action attributes in\nmlx5e_clone_flow_attr_for_post_act(). Creating another copy in\nmlx5e_tc_post_act_add() is a erroneous leftover from original\nimplementation. Instead, assign handle->attribute to post_attr provided by\nthe caller. Note that cloning the attribute second time is not just\nwasteful but also causes issues like second copy not being properly updated\nin neigh update code which leads to following use-after-free:\nFeb 21 09:02:00 c-237-177-40-045 kernel: BUG: KASAN: use-after-free in mlx5_cmd_set_fte+0x200d/0x24c0 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel:  kasan_report+0xbb/0x1a0\nFeb 21 09:02:00 c-237-177-40-045 kernel:  kasan_save_stack+0x1e/0x40\nFeb 21 09:02:00 c-237-177-40-045 kernel:  kasan_set_track+0x21/0x30\nFeb 21 09:02:00 c-237-177-40-045 kernel:  __kasan_kmalloc+0x7a/0x90\nFeb 21 09:02:00 c-237-177-40-045 kernel:  kasan_save_stack+0x1e/0x40\nFeb 21 09:02:00 c-237-177-40-045 kernel:  kasan_set_track+0x21/0x30\nFeb 21 09:02:00 c-237-177-40-045 kernel:  kasan_save_free_info+0x2a/0x40\nFeb 21 09:02:00 c-237-177-40-045 kernel:  ____kasan_slab_free+0x11a/0x1b0\nFeb 21 09:02:00 c-237-177-40-045 kernel: page dumped because: kasan: bad access detected\nFeb 21 09:02:00 c-237-177-40-045 kernel: mlx5_core 0000:08:00.0: mlx5_cmd_out_err:803:(pid 8833): SET_FLOW_TABLE_ENTRY(0x936) op_mod(0x0) failed, status bad resource state(0x9), syndrome (0xf2ff71), err(-22)\nFeb 21 09:02:00 c-237-177-40-045 kernel: mlx5_core 0000:08:00.0 enp8s0f0: Failed to add post action rule\nFeb 21 09:02:00 c-237-177-40-045 kernel: mlx5_core 0000:08:00.0: mlx5e_tc_encap_flows_add:190:(pid 8833): Failed to update flow post acts, -22\nFeb 21 09:02:00 c-237-177-40-045 kernel: Call Trace:\nFeb 21 09:02:00 c-237-177-40-045 kernel:  <TASK>\nFeb 21 09:02:00 c-237-177-40-045 kernel:  dump_stack_lvl+0x57/0x7d\nFeb 21 09:02:00 c-237-177-40-045 kernel:  print_report+0x170/0x471\nFeb 21 09:02:00 c-237-177-40-045 kernel:  ? mlx5_cmd_set_fte+0x200d/0x24c0 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel:  kasan_report+0xbb/0x1a0\nFeb 21 09:02:00 c-237-177-40-045 kernel:  ? mlx5_cmd_set_fte+0x200d/0x24c0 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel:  mlx5_cmd_set_fte+0x200d/0x24c0 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel:  ? __module_address.part.0+0x62/0x200\nFeb 21 09:02:00 c-237-177-40-045 kernel:  ? mlx5_cmd_stub_create_flow_table+0xd0/0xd0 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel:  ? __raw_spin_lock_init+0x3b/0x110\nFeb 21 09:02:00 c-237-177-40-045 kernel:  mlx5_cmd_create_fte+0x80/0xb0 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel:  add_rule_fg+0xe80/0x19c0 [mlx5_core]\n--\nFeb 21 09:02:00 c-237-177-40-045 kernel: Allocated by task 13476:\nFeb 21 09:02:00 c-237-177-40-045 kernel:  kasan_save_stack+0x1e/0x40\nFeb 21 09:02:00 c-237-177-40-045 kernel:  kasan_set_track+0x21/0x30\nFeb 21 09:02:00 c-237-177-40-045 kernel:  __kasan_kmalloc+0x7a/0x90\nFeb 21 09:02:00 c-237-177-40-045 kernel:  mlx5_packet_reformat_alloc+0x7b/0x230 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel:  mlx5e_tc_tun_create_header_ipv4+0x977/0xf10 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel:  mlx5e_attach_encap+0x15b4/0x1e10 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel:  post_process_attr+0x305/0xa30 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel:  mlx5e_tc_add_fdb_flow+0x4c0/0xcf0 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel:  __mlx5e_add_fdb_flow+0x7cf/0xe90 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel:  mlx5e_configure_flower+0xcaa/0x4b90 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel:  mlx5e_rep_setup_tc_cls_flower+0x99/0x1b0 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel:  mlx5e_rep_setup_tc_cb+0x133/0x1e0 [mlx5_core]\n--\nFeb 21 09:02:00 c-237-177-40-045 kernel: Freed by task 8833:\nFeb 21 09:02:00 c-237-177-40-045 kernel:  kasan_save_s\n---truncated---", "A use-after-free flaw was discovered in the Linux kernel’s mlx5e networking driver. The code erroneously cloned flow post action attributes a second time in mlx5e_tc_post_act_add() despite an earlier clone in mlx5e_clone_flow_attr_for_post_act(). This second clone is not properly updated during neighbor update operations, which can lead to use-after-free memory access when the stale attribute copy is dereferenced." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-11-14T00:00:00Z",
    "advisory" : "RHSA-2023:7077",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-513.5.1.el8_9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-54262\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-54262\nhttps://lore.kernel.org/linux-cve-announce/2025123058-CVE-2023-54262-4f66@gregkh/T" ],
  "name" : "CVE-2023-54262",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}