7.1

CVE-2023-53333

EPSS 0.02%
Veröffentlicht 16.09.2025 16:12:08
Zuletzt bearbeitet 10.12.2025 18:29:59
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

In the Linux kernel, the following vulnerability has been resolved:

netfilter: conntrack: dccp: copy entire header to stack buffer, not just basic one

Eric Dumazet says:
  nf_conntrack_dccp_packet() has an unique:

  dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);

  And nothing more is 'pulled' from the packet, depending on the content.
  dh->dccph_doff, and/or dh->dccph_x ...)
  So dccp_ack_seq() is happily reading stuff past the _dh buffer.

BUG: KASAN: stack-out-of-bounds in nf_conntrack_dccp_packet+0x1134/0x11c0
Read of size 4 at addr ffff000128f66e0c by task syz-executor.2/29371
[..]

Fix this by increasing the stack buffer to also include room for
the extra sequence numbers and all the known dccp packet type headers,
then pull again after the initial validation of the basic header.

While at it, mark packets invalid that lack 48bit sequence bit but
where RFC says the type MUST use them.

Compile tested only.

v2: first skb_header_pointer() now needs to adjust the size to
    only pull the generic header. (Eric)

Heads-up: I intend to remove dccp conntrack support later this year.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 10

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version >= 2.6.26 < 5.4.251

Linux ≫ Linux Kernel Version >= 5.5 < 5.10.188

Linux ≫ Linux Kernel Version >= 5.11 < 5.15.121

Linux ≫ Linux Kernel Version >= 5.16 < 6.1.39

Linux ≫ Linux Kernel Version >= 6.2 < 6.3.13

Linux ≫ Linux Kernel Version >= 6.4 < 6.4.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.037

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.1	1.8	5.2	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

https://git.kernel.org/stable/c/337fdce450637ea663bc816edc2ba81e5cdad02e

Patch

https://git.kernel.org/stable/c/9bdcda7abaf22f6453e5b5efb7eb4e524095d5d8

Patch

https://git.kernel.org/stable/c/c052797ac36813419ad3bfa54cb8615db4b41f15

Patch

https://git.kernel.org/stable/c/5c618daa5038712c4a4ef8923905a2ea1b8836a1

Patch

https://git.kernel.org/stable/c/26bd1f210d3783a691052c51d76bb8a8bbd24c67

Patch

https://git.kernel.org/stable/c/8c0980493beed3a80d6329c44ab293dc8c032927

Patch

https://git.kernel.org/stable/c/ff0a3a7d52ff7282dbd183e7fc29a1fe386b0c30

Patch

https://nvd.nist.gov/vuln/detail/CVE-2023-53333

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-53333

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-53333

EUVD