7.8
CVE-2023-53559
- EPSS 0.14%
- Veröffentlicht 04.10.2025 15:17:03
- Zuletzt bearbeitet 21.03.2026 01:01:22
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
ip_vti: fix potential slab-use-after-free in decode_session6
In the Linux kernel, the following vulnerability has been resolved:
ip_vti: fix potential slab-use-after-free in decode_session6
When ip_vti device is set to the qdisc of the sfb type, the cb field
of the sent skb may be modified during enqueuing. Then,
slab-use-after-free may occur when ip_vti device sends IPv6 packets.
As commit f855691975bb ("xfrm6: Fix the nexthdr offset in
_decode_session6.") showed, xfrm_decode_session was originally intended
only for the receive path. IP6CB(skb)->nhoff is not set during
transmission. Therefore, set the cb field in the skb to 0 before
sending packets.Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linux ≫ Linux Kernel Version >= 3.19.1 < 4.14.324
Linux ≫ Linux Kernel Version >= 4.15 < 4.19.293
Linux ≫ Linux Kernel Version >= 4.20 < 5.4.255
Linux ≫ Linux Kernel Version >= 5.5 < 5.10.192
Linux ≫ Linux Kernel Version >= 5.11 < 5.15.128
Linux ≫ Linux Kernel Version >= 5.16 < 6.1.47
Linux ≫ Linux Kernel Version >= 6.2 < 6.4.12
Linux ≫ Linux Kernel Version3.19 Update-
Linux ≫ Linux Kernel Version3.19 Updaterc7
Linux ≫ Linux Kernel Version6.5 Updaterc1
Linux ≫ Linux Kernel Version6.5 Updaterc2
Linux ≫ Linux Kernel Version6.5 Updaterc3
Linux ≫ Linux Kernel Version6.5 Updaterc4
Linux ≫ Linux Kernel Version6.5 Updaterc5
Linux ≫ Linux Kernel Version6.5 Updaterc6
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.14% | 0.036 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-416 Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
https://git.kernel.org/stable/c/82fb41c5de243e7dfa90f32ca58e35adaff56c1d
https://git.kernel.org/stable/c/7dfe23659f3677c08a60a0056cda2d91a79c15ca
https://git.kernel.org/stable/c/d34c30442d5e53a33cde79ca163320dbe2432cbd
https://git.kernel.org/stable/c/0b4d69539fdea138af2befe08893850c89248068
https://git.kernel.org/stable/c/e1e04cc2ef2c0c0866c19f5627149a76c2baae32
https://git.kernel.org/stable/c/2b05bf5dc437f7891dd409a3eaf5058459391c7a
https://git.kernel.org/stable/c/78e397a43e1c47321a4679cc49a6c4530bf820b9
https://git.kernel.org/stable/c/6018a266279b1a75143c7c0804dd08a5fc4c3e0b