Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2023-52991

Severity CVSS v4.0:
Pending analysis
Type:
CWE-476 NULL Pointer Dereference
Publication date:
27/03/2025
Last modified:
15/04/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: fix NULL pointer in skb_segment_list<br /> <br /> Commit 3a1296a38d0c ("net: Support GRO/GSO fraglist chaining.")<br /> introduced UDP listifyed GRO. The segmentation relies on frag_list being<br /> untouched when passing through the network stack. This assumption can be<br /> broken sometimes, where frag_list itself gets pulled into linear area,<br /> leaving frag_list being NULL. When this happens it can trigger<br /> following NULL pointer dereference, and panic the kernel. Reverse the<br /> test condition should fix it.<br /> <br /> [19185.577801][ C1] BUG: kernel NULL pointer dereference, address:<br /> ...<br /> [19185.663775][ C1] RIP: 0010:skb_segment_list+0x1cc/0x390<br /> ...<br /> [19185.834644][ C1] Call Trace:<br /> [19185.841730][ C1] <br /> [19185.848563][ C1] __udp_gso_segment+0x33e/0x510<br /> [19185.857370][ C1] inet_gso_segment+0x15b/0x3e0<br /> [19185.866059][ C1] skb_mac_gso_segment+0x97/0x110<br /> [19185.874939][ C1] __skb_gso_segment+0xb2/0x160<br /> [19185.883646][ C1] udp_queue_rcv_skb+0xc3/0x1d0<br /> [19185.892319][ C1] udp_unicast_rcv_skb+0x75/0x90<br /> [19185.900979][ C1] ip_protocol_deliver_rcu+0xd2/0x200<br /> [19185.910003][ C1] ip_local_deliver_finish+0x44/0x60<br /> [19185.918757][ C1] __netif_receive_skb_one_core+0x8b/0xa0<br /> [19185.927834][ C1] process_backlog+0x88/0x130<br /> [19185.935840][ C1] __napi_poll+0x27/0x150<br /> [19185.943447][ C1] net_rx_action+0x27e/0x5f0<br /> [19185.951331][ C1] ? mlx5_cq_tasklet_cb+0x70/0x160 [mlx5_core]<br /> [19185.960848][ C1] __do_softirq+0xbc/0x25d<br /> [19185.968607][ C1] irq_exit_rcu+0x83/0xb0<br /> [19185.976247][ C1] common_interrupt+0x43/0xa0<br /> [19185.984235][ C1] asm_common_interrupt+0x22/0x40<br /> ...<br /> [19186.094106][ C1]

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.6 (including) 5.10.167 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.92 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.10 (excluding)
cpe:2.3:o:linux:linux_kernel:6.2:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.2:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.2:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.2:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.2:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.2:rc6:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools