{ "threat_severity" : "Moderate", "public_date" : "2025-12-30T00:00:00Z", "bugzilla" : { "description" : "kernel: ipv6: Fix an uninit variable access bug in __ip6_make_skb()", "id" : "2426032", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2426032" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-457", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nipv6: Fix an uninit variable access bug in __ip6_make_skb()\nSyzbot reported a bug as following:\n=====================================================\nBUG: KMSAN: uninit-value in arch_atomic64_inc arch/x86/include/asm/atomic64_64.h:88 [inline]\nBUG: KMSAN: uninit-value in arch_atomic_long_inc include/linux/atomic/atomic-long.h:161 [inline]\nBUG: KMSAN: uninit-value in atomic_long_inc include/linux/atomic/atomic-instrumented.h:1429 [inline]\nBUG: KMSAN: uninit-value in __ip6_make_skb+0x2f37/0x30f0 net/ipv6/ip6_output.c:1956\narch_atomic64_inc arch/x86/include/asm/atomic64_64.h:88 [inline]\narch_atomic_long_inc include/linux/atomic/atomic-long.h:161 [inline]\natomic_long_inc include/linux/atomic/atomic-instrumented.h:1429 [inline]\n__ip6_make_skb+0x2f37/0x30f0 net/ipv6/ip6_output.c:1956\nip6_finish_skb include/net/ipv6.h:1122 [inline]\nip6_push_pending_frames+0x10e/0x550 net/ipv6/ip6_output.c:1987\nrawv6_push_pending_frames+0xb12/0xb90 net/ipv6/raw.c:579\nrawv6_sendmsg+0x297e/0x2e60 net/ipv6/raw.c:922\ninet_sendmsg+0x101/0x180 net/ipv4/af_inet.c:827\nsock_sendmsg_nosec net/socket.c:714 [inline]\nsock_sendmsg net/socket.c:734 [inline]\n____sys_sendmsg+0xa8e/0xe70 net/socket.c:2476\n___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2530\n__sys_sendmsg net/socket.c:2559 [inline]\n__do_sys_sendmsg net/socket.c:2568 [inline]\n__se_sys_sendmsg net/socket.c:2566 [inline]\n__x64_sys_sendmsg+0x367/0x540 net/socket.c:2566\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\nUninit was created at:\nslab_post_alloc_hook mm/slab.h:766 [inline]\nslab_alloc_node mm/slub.c:3452 [inline]\n__kmem_cache_alloc_node+0x71f/0xce0 mm/slub.c:3491\n__do_kmalloc_node mm/slab_common.c:967 [inline]\n__kmalloc_node_track_caller+0x114/0x3b0 mm/slab_common.c:988\nkmalloc_reserve net/core/skbuff.c:492 [inline]\n__alloc_skb+0x3af/0x8f0 net/core/skbuff.c:565\nalloc_skb include/linux/skbuff.h:1270 [inline]\n__ip6_append_data+0x51c1/0x6bb0 net/ipv6/ip6_output.c:1684\nip6_append_data+0x411/0x580 net/ipv6/ip6_output.c:1854\nrawv6_sendmsg+0x2882/0x2e60 net/ipv6/raw.c:915\ninet_sendmsg+0x101/0x180 net/ipv4/af_inet.c:827\nsock_sendmsg_nosec net/socket.c:714 [inline]\nsock_sendmsg net/socket.c:734 [inline]\n____sys_sendmsg+0xa8e/0xe70 net/socket.c:2476\n___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2530\n__sys_sendmsg net/socket.c:2559 [inline]\n__do_sys_sendmsg net/socket.c:2568 [inline]\n__se_sys_sendmsg net/socket.c:2566 [inline]\n__x64_sys_sendmsg+0x367/0x540 net/socket.c:2566\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\nIt is because icmp6hdr does not in skb linear region under the scenario\nof SOCK_RAW socket. Access icmp6_hdr(skb)->icmp6_type directly will\ntrigger the uninit variable access bug.\nUse a local variable icmp6_type to carry the correct value in different\nscenarios.", "A flaw was identified in the Linux kernel’s IPv6 networking code in the function __ip6_make_skb(). Under certain conditions—such as when using raw IPv6 sockets and processing ICMPv6 headers—the code may access an uninitialized variable because the expected header data is not guaranteed to reside in the linear portion of the socket buffer (skb). This can lead to unpredictable behavior, including potential kernel instability or crash" ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2023-11-14T00:00:00Z", "advisory" : "RHSA-2023:7077", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-513.5.1.el8_9" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-54265\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-54265\nhttps://lore.kernel.org/linux-cve-announce/2025123059-CVE-2023-54265-02a6@gregkh/T" ], "name" : "CVE-2023-54265", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }