CVE-2023-52610 (GCVE-0-2023-52610)

Vulnerability from cvelistv5 – Published: 2024-03-18 10:07 – Updated: 2025-05-04 07:39
VLAI?
Title
net/sched: act_ct: fix skb leak and crash on ooo frags
Summary
In the Linux kernel, the following vulnerability has been resolved: net/sched: act_ct: fix skb leak and crash on ooo frags act_ct adds skb->users before defragmentation. If frags arrive in order, the last frag's reference is reset in: inet_frag_reasm_prepare skb_morph which is not straightforward. However when frags arrive out of order, nobody unref the last frag, and all frags are leaked. The situation is even worse, as initiating packet capture can lead to a crash[0] when skb has been cloned and shared at the same time. Fix the issue by removing skb_get() before defragmentation. act_ct returns TC_ACT_CONSUMED when defrag failed or in progress. [0]: [ 843.804823] ------------[ cut here ]------------ [ 843.809659] kernel BUG at net/core/skbuff.c:2091! [ 843.814516] invalid opcode: 0000 [#1] PREEMPT SMP [ 843.819296] CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G S 6.7.0-rc3 #2 [ 843.824107] Hardware name: XFUSION 1288H V6/BC13MBSBD, BIOS 1.29 11/25/2022 [ 843.828953] RIP: 0010:pskb_expand_head+0x2ac/0x300 [ 843.833805] Code: 8b 70 28 48 85 f6 74 82 48 83 c6 08 bf 01 00 00 00 e8 38 bd ff ff 8b 83 c0 00 00 00 48 03 83 c8 00 00 00 e9 62 ff ff ff 0f 0b <0f> 0b e8 8d d0 ff ff e9 b3 fd ff ff 81 7c 24 14 40 01 00 00 4c 89 [ 843.843698] RSP: 0018:ffffc9000cce07c0 EFLAGS: 00010202 [ 843.848524] RAX: 0000000000000002 RBX: ffff88811a211d00 RCX: 0000000000000820 [ 843.853299] RDX: 0000000000000640 RSI: 0000000000000000 RDI: ffff88811a211d00 [ 843.857974] RBP: ffff888127d39518 R08: 00000000bee97314 R09: 0000000000000000 [ 843.862584] R10: 0000000000000000 R11: ffff8881109f0000 R12: 0000000000000880 [ 843.867147] R13: ffff888127d39580 R14: 0000000000000640 R15: ffff888170f7b900 [ 843.871680] FS: 0000000000000000(0000) GS:ffff889ffffc0000(0000) knlGS:0000000000000000 [ 843.876242] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 843.880778] CR2: 00007fa42affcfb8 CR3: 000000011433a002 CR4: 0000000000770ef0 [ 843.885336] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 843.889809] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 843.894229] PKRU: 55555554 [ 843.898539] Call Trace: [ 843.902772] <IRQ> [ 843.906922] ? __die_body+0x1e/0x60 [ 843.911032] ? die+0x3c/0x60 [ 843.915037] ? do_trap+0xe2/0x110 [ 843.918911] ? pskb_expand_head+0x2ac/0x300 [ 843.922687] ? do_error_trap+0x65/0x80 [ 843.926342] ? pskb_expand_head+0x2ac/0x300 [ 843.929905] ? exc_invalid_op+0x50/0x60 [ 843.933398] ? pskb_expand_head+0x2ac/0x300 [ 843.936835] ? asm_exc_invalid_op+0x1a/0x20 [ 843.940226] ? pskb_expand_head+0x2ac/0x300 [ 843.943580] inet_frag_reasm_prepare+0xd1/0x240 [ 843.946904] ip_defrag+0x5d4/0x870 [ 843.950132] nf_ct_handle_fragments+0xec/0x130 [nf_conntrack] [ 843.953334] tcf_ct_act+0x252/0xd90 [act_ct] [ 843.956473] ? tcf_mirred_act+0x516/0x5a0 [act_mirred] [ 843.959657] tcf_action_exec+0xa1/0x160 [ 843.962823] fl_classify+0x1db/0x1f0 [cls_flower] [ 843.966010] ? skb_clone+0x53/0xc0 [ 843.969173] tcf_classify+0x24d/0x420 [ 843.972333] tc_run+0x8f/0xf0 [ 843.975465] __netif_receive_skb_core+0x67a/0x1080 [ 843.978634] ? dev_gro_receive+0x249/0x730 [ 843.981759] __netif_receive_skb_list_core+0x12d/0x260 [ 843.984869] netif_receive_skb_list_internal+0x1cb/0x2f0 [ 843.987957] ? mlx5e_handle_rx_cqe_mpwrq_rep+0xfa/0x1a0 [mlx5_core] [ 843.991170] napi_complete_done+0x72/0x1a0 [ 843.994305] mlx5e_napi_poll+0x28c/0x6d0 [mlx5_core] [ 843.997501] __napi_poll+0x25/0x1b0 [ 844.000627] net_rx_action+0x256/0x330 [ 844.003705] __do_softirq+0xb3/0x29b [ 844.006718] irq_exit_rcu+0x9e/0xc0 [ 844.009672] common_interrupt+0x86/0xa0 [ 844.012537] </IRQ> [ 844.015285] <TASK> [ 844.017937] asm_common_interrupt+0x26/0x40 [ 844.020591] RIP: 0010:acpi_safe_halt+0x1b/0x20 [ 844.023247] Code: ff 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 65 48 8b 04 25 00 18 03 00 48 8b 00 a8 08 75 0c 66 90 0f 00 2d 81 d0 44 00 fb ---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: b57dc7c13ea90e09ae15f821d2583fa0231b4935 , < 172ba7d46c202e679f3ccb10264c67416aaeb1c4 (git)
Affected: b57dc7c13ea90e09ae15f821d2583fa0231b4935 , < 0b5b831122fc3789fff75be433ba3e4dd7b779d4 (git)
Affected: b57dc7c13ea90e09ae15f821d2583fa0231b4935 , < 73f7da5fd124f2cda9161e2e46114915e6e82e97 (git)
Affected: b57dc7c13ea90e09ae15f821d2583fa0231b4935 , < f5346df0591d10bc948761ca854b1fae6d2ef441 (git)
Affected: b57dc7c13ea90e09ae15f821d2583fa0231b4935 , < 3f14b377d01d8357eba032b4cabc8c1149b458b6 (git)
Create a notification for this product.
    Linux Linux Affected: 5.3
Unaffected: 0 , < 5.3 (semver)
Unaffected: 5.15.148 , ≤ 5.15.* (semver)
Unaffected: 6.1.75 , ≤ 6.1.* (semver)
Unaffected: 6.6.14 , ≤ 6.6.* (semver)
Unaffected: 6.7.2 , ≤ 6.7.* (semver)
Unaffected: 6.8 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-52610",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-21T16:09:12.830591Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-21T16:09:22.568Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:03:21.154Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/172ba7d46c202e679f3ccb10264c67416aaeb1c4"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/0b5b831122fc3789fff75be433ba3e4dd7b779d4"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/73f7da5fd124f2cda9161e2e46114915e6e82e97"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/f5346df0591d10bc948761ca854b1fae6d2ef441"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/3f14b377d01d8357eba032b4cabc8c1149b458b6"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/act_ct.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "172ba7d46c202e679f3ccb10264c67416aaeb1c4",
              "status": "affected",
              "version": "b57dc7c13ea90e09ae15f821d2583fa0231b4935",
              "versionType": "git"
            },
            {
              "lessThan": "0b5b831122fc3789fff75be433ba3e4dd7b779d4",
              "status": "affected",
              "version": "b57dc7c13ea90e09ae15f821d2583fa0231b4935",
              "versionType": "git"
            },
            {
              "lessThan": "73f7da5fd124f2cda9161e2e46114915e6e82e97",
              "status": "affected",
              "version": "b57dc7c13ea90e09ae15f821d2583fa0231b4935",
              "versionType": "git"
            },
            {
              "lessThan": "f5346df0591d10bc948761ca854b1fae6d2ef441",
              "status": "affected",
              "version": "b57dc7c13ea90e09ae15f821d2583fa0231b4935",
              "versionType": "git"
            },
            {
              "lessThan": "3f14b377d01d8357eba032b4cabc8c1149b458b6",
              "status": "affected",
              "version": "b57dc7c13ea90e09ae15f821d2583fa0231b4935",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/act_ct.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.3"
            },
            {
              "lessThan": "5.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.148",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.148",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.75",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.14",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.7.2",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_ct: fix skb leak and crash on ooo frags\n\nact_ct adds skb-\u003eusers before defragmentation. If frags arrive in order,\nthe last frag\u0027s reference is reset in:\n\n  inet_frag_reasm_prepare\n    skb_morph\n\nwhich is not straightforward.\n\nHowever when frags arrive out of order, nobody unref the last frag, and\nall frags are leaked. The situation is even worse, as initiating packet\ncapture can lead to a crash[0] when skb has been cloned and shared at the\nsame time.\n\nFix the issue by removing skb_get() before defragmentation. act_ct\nreturns TC_ACT_CONSUMED when defrag failed or in progress.\n\n[0]:\n[  843.804823] ------------[ cut here ]------------\n[  843.809659] kernel BUG at net/core/skbuff.c:2091!\n[  843.814516] invalid opcode: 0000 [#1] PREEMPT SMP\n[  843.819296] CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G S 6.7.0-rc3 #2\n[  843.824107] Hardware name: XFUSION 1288H V6/BC13MBSBD, BIOS 1.29 11/25/2022\n[  843.828953] RIP: 0010:pskb_expand_head+0x2ac/0x300\n[  843.833805] Code: 8b 70 28 48 85 f6 74 82 48 83 c6 08 bf 01 00 00 00 e8 38 bd ff ff 8b 83 c0 00 00 00 48 03 83 c8 00 00 00 e9 62 ff ff ff 0f 0b \u003c0f\u003e 0b e8 8d d0 ff ff e9 b3 fd ff ff 81 7c 24 14 40 01 00 00 4c 89\n[  843.843698] RSP: 0018:ffffc9000cce07c0 EFLAGS: 00010202\n[  843.848524] RAX: 0000000000000002 RBX: ffff88811a211d00 RCX: 0000000000000820\n[  843.853299] RDX: 0000000000000640 RSI: 0000000000000000 RDI: ffff88811a211d00\n[  843.857974] RBP: ffff888127d39518 R08: 00000000bee97314 R09: 0000000000000000\n[  843.862584] R10: 0000000000000000 R11: ffff8881109f0000 R12: 0000000000000880\n[  843.867147] R13: ffff888127d39580 R14: 0000000000000640 R15: ffff888170f7b900\n[  843.871680] FS:  0000000000000000(0000) GS:ffff889ffffc0000(0000) knlGS:0000000000000000\n[  843.876242] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  843.880778] CR2: 00007fa42affcfb8 CR3: 000000011433a002 CR4: 0000000000770ef0\n[  843.885336] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[  843.889809] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[  843.894229] PKRU: 55555554\n[  843.898539] Call Trace:\n[  843.902772]  \u003cIRQ\u003e\n[  843.906922]  ? __die_body+0x1e/0x60\n[  843.911032]  ? die+0x3c/0x60\n[  843.915037]  ? do_trap+0xe2/0x110\n[  843.918911]  ? pskb_expand_head+0x2ac/0x300\n[  843.922687]  ? do_error_trap+0x65/0x80\n[  843.926342]  ? pskb_expand_head+0x2ac/0x300\n[  843.929905]  ? exc_invalid_op+0x50/0x60\n[  843.933398]  ? pskb_expand_head+0x2ac/0x300\n[  843.936835]  ? asm_exc_invalid_op+0x1a/0x20\n[  843.940226]  ? pskb_expand_head+0x2ac/0x300\n[  843.943580]  inet_frag_reasm_prepare+0xd1/0x240\n[  843.946904]  ip_defrag+0x5d4/0x870\n[  843.950132]  nf_ct_handle_fragments+0xec/0x130 [nf_conntrack]\n[  843.953334]  tcf_ct_act+0x252/0xd90 [act_ct]\n[  843.956473]  ? tcf_mirred_act+0x516/0x5a0 [act_mirred]\n[  843.959657]  tcf_action_exec+0xa1/0x160\n[  843.962823]  fl_classify+0x1db/0x1f0 [cls_flower]\n[  843.966010]  ? skb_clone+0x53/0xc0\n[  843.969173]  tcf_classify+0x24d/0x420\n[  843.972333]  tc_run+0x8f/0xf0\n[  843.975465]  __netif_receive_skb_core+0x67a/0x1080\n[  843.978634]  ? dev_gro_receive+0x249/0x730\n[  843.981759]  __netif_receive_skb_list_core+0x12d/0x260\n[  843.984869]  netif_receive_skb_list_internal+0x1cb/0x2f0\n[  843.987957]  ? mlx5e_handle_rx_cqe_mpwrq_rep+0xfa/0x1a0 [mlx5_core]\n[  843.991170]  napi_complete_done+0x72/0x1a0\n[  843.994305]  mlx5e_napi_poll+0x28c/0x6d0 [mlx5_core]\n[  843.997501]  __napi_poll+0x25/0x1b0\n[  844.000627]  net_rx_action+0x256/0x330\n[  844.003705]  __do_softirq+0xb3/0x29b\n[  844.006718]  irq_exit_rcu+0x9e/0xc0\n[  844.009672]  common_interrupt+0x86/0xa0\n[  844.012537]  \u003c/IRQ\u003e\n[  844.015285]  \u003cTASK\u003e\n[  844.017937]  asm_common_interrupt+0x26/0x40\n[  844.020591] RIP: 0010:acpi_safe_halt+0x1b/0x20\n[  844.023247] Code: ff 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 65 48 8b 04 25 00 18 03 00 48 8b 00 a8 08 75 0c 66 90 0f 00 2d 81 d0 44 00 fb\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:39:49.706Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/172ba7d46c202e679f3ccb10264c67416aaeb1c4"
        },
        {
          "url": "https://git.kernel.org/stable/c/0b5b831122fc3789fff75be433ba3e4dd7b779d4"
        },
        {
          "url": "https://git.kernel.org/stable/c/73f7da5fd124f2cda9161e2e46114915e6e82e97"
        },
        {
          "url": "https://git.kernel.org/stable/c/f5346df0591d10bc948761ca854b1fae6d2ef441"
        },
        {
          "url": "https://git.kernel.org/stable/c/3f14b377d01d8357eba032b4cabc8c1149b458b6"
        }
      ],
      "title": "net/sched: act_ct: fix skb leak and crash on ooo frags",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-52610",
    "datePublished": "2024-03-18T10:07:46.065Z",
    "dateReserved": "2024-03-06T09:52:12.088Z",
    "dateUpdated": "2025-05-04T07:39:49.706Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://git.kernel.org/stable/c/172ba7d46c202e679f3ccb10264c67416aaeb1c4\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/0b5b831122fc3789fff75be433ba3e4dd7b779d4\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/73f7da5fd124f2cda9161e2e46114915e6e82e97\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/f5346df0591d10bc948761ca854b1fae6d2ef441\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/3f14b377d01d8357eba032b4cabc8c1149b458b6\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T23:03:21.154Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-52610\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-06-21T16:09:12.830591Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-06-21T16:09:17.583Z\"}}], \"cna\": {\"title\": \"net/sched: act_ct: fix skb leak and crash on ooo frags\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"b57dc7c13ea90e09ae15f821d2583fa0231b4935\", \"lessThan\": \"172ba7d46c202e679f3ccb10264c67416aaeb1c4\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"b57dc7c13ea90e09ae15f821d2583fa0231b4935\", \"lessThan\": \"0b5b831122fc3789fff75be433ba3e4dd7b779d4\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"b57dc7c13ea90e09ae15f821d2583fa0231b4935\", \"lessThan\": \"73f7da5fd124f2cda9161e2e46114915e6e82e97\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"b57dc7c13ea90e09ae15f821d2583fa0231b4935\", \"lessThan\": \"f5346df0591d10bc948761ca854b1fae6d2ef441\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"b57dc7c13ea90e09ae15f821d2583fa0231b4935\", \"lessThan\": \"3f14b377d01d8357eba032b4cabc8c1149b458b6\", \"versionType\": \"git\"}], \"programFiles\": [\"net/sched/act_ct.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.3\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"5.3\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"5.15.148\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"6.1.75\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.1.*\"}, {\"status\": \"unaffected\", \"version\": \"6.6.14\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.6.*\"}, {\"status\": \"unaffected\", \"version\": \"6.7.2\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.7.*\"}, {\"status\": \"unaffected\", \"version\": \"6.8\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"net/sched/act_ct.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/172ba7d46c202e679f3ccb10264c67416aaeb1c4\"}, {\"url\": \"https://git.kernel.org/stable/c/0b5b831122fc3789fff75be433ba3e4dd7b779d4\"}, {\"url\": \"https://git.kernel.org/stable/c/73f7da5fd124f2cda9161e2e46114915e6e82e97\"}, {\"url\": \"https://git.kernel.org/stable/c/f5346df0591d10bc948761ca854b1fae6d2ef441\"}, {\"url\": \"https://git.kernel.org/stable/c/3f14b377d01d8357eba032b4cabc8c1149b458b6\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/sched: act_ct: fix skb leak and crash on ooo frags\\n\\nact_ct adds skb-\u003eusers before defragmentation. If frags arrive in order,\\nthe last frag\u0027s reference is reset in:\\n\\n  inet_frag_reasm_prepare\\n    skb_morph\\n\\nwhich is not straightforward.\\n\\nHowever when frags arrive out of order, nobody unref the last frag, and\\nall frags are leaked. The situation is even worse, as initiating packet\\ncapture can lead to a crash[0] when skb has been cloned and shared at the\\nsame time.\\n\\nFix the issue by removing skb_get() before defragmentation. act_ct\\nreturns TC_ACT_CONSUMED when defrag failed or in progress.\\n\\n[0]:\\n[  843.804823] ------------[ cut here ]------------\\n[  843.809659] kernel BUG at net/core/skbuff.c:2091!\\n[  843.814516] invalid opcode: 0000 [#1] PREEMPT SMP\\n[  843.819296] CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G S 6.7.0-rc3 #2\\n[  843.824107] Hardware name: XFUSION 1288H V6/BC13MBSBD, BIOS 1.29 11/25/2022\\n[  843.828953] RIP: 0010:pskb_expand_head+0x2ac/0x300\\n[  843.833805] Code: 8b 70 28 48 85 f6 74 82 48 83 c6 08 bf 01 00 00 00 e8 38 bd ff ff 8b 83 c0 00 00 00 48 03 83 c8 00 00 00 e9 62 ff ff ff 0f 0b \u003c0f\u003e 0b e8 8d d0 ff ff e9 b3 fd ff ff 81 7c 24 14 40 01 00 00 4c 89\\n[  843.843698] RSP: 0018:ffffc9000cce07c0 EFLAGS: 00010202\\n[  843.848524] RAX: 0000000000000002 RBX: ffff88811a211d00 RCX: 0000000000000820\\n[  843.853299] RDX: 0000000000000640 RSI: 0000000000000000 RDI: ffff88811a211d00\\n[  843.857974] RBP: ffff888127d39518 R08: 00000000bee97314 R09: 0000000000000000\\n[  843.862584] R10: 0000000000000000 R11: ffff8881109f0000 R12: 0000000000000880\\n[  843.867147] R13: ffff888127d39580 R14: 0000000000000640 R15: ffff888170f7b900\\n[  843.871680] FS:  0000000000000000(0000) GS:ffff889ffffc0000(0000) knlGS:0000000000000000\\n[  843.876242] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[  843.880778] CR2: 00007fa42affcfb8 CR3: 000000011433a002 CR4: 0000000000770ef0\\n[  843.885336] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n[  843.889809] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n[  843.894229] PKRU: 55555554\\n[  843.898539] Call Trace:\\n[  843.902772]  \u003cIRQ\u003e\\n[  843.906922]  ? __die_body+0x1e/0x60\\n[  843.911032]  ? die+0x3c/0x60\\n[  843.915037]  ? do_trap+0xe2/0x110\\n[  843.918911]  ? pskb_expand_head+0x2ac/0x300\\n[  843.922687]  ? do_error_trap+0x65/0x80\\n[  843.926342]  ? pskb_expand_head+0x2ac/0x300\\n[  843.929905]  ? exc_invalid_op+0x50/0x60\\n[  843.933398]  ? pskb_expand_head+0x2ac/0x300\\n[  843.936835]  ? asm_exc_invalid_op+0x1a/0x20\\n[  843.940226]  ? pskb_expand_head+0x2ac/0x300\\n[  843.943580]  inet_frag_reasm_prepare+0xd1/0x240\\n[  843.946904]  ip_defrag+0x5d4/0x870\\n[  843.950132]  nf_ct_handle_fragments+0xec/0x130 [nf_conntrack]\\n[  843.953334]  tcf_ct_act+0x252/0xd90 [act_ct]\\n[  843.956473]  ? tcf_mirred_act+0x516/0x5a0 [act_mirred]\\n[  843.959657]  tcf_action_exec+0xa1/0x160\\n[  843.962823]  fl_classify+0x1db/0x1f0 [cls_flower]\\n[  843.966010]  ? skb_clone+0x53/0xc0\\n[  843.969173]  tcf_classify+0x24d/0x420\\n[  843.972333]  tc_run+0x8f/0xf0\\n[  843.975465]  __netif_receive_skb_core+0x67a/0x1080\\n[  843.978634]  ? dev_gro_receive+0x249/0x730\\n[  843.981759]  __netif_receive_skb_list_core+0x12d/0x260\\n[  843.984869]  netif_receive_skb_list_internal+0x1cb/0x2f0\\n[  843.987957]  ? mlx5e_handle_rx_cqe_mpwrq_rep+0xfa/0x1a0 [mlx5_core]\\n[  843.991170]  napi_complete_done+0x72/0x1a0\\n[  843.994305]  mlx5e_napi_poll+0x28c/0x6d0 [mlx5_core]\\n[  843.997501]  __napi_poll+0x25/0x1b0\\n[  844.000627]  net_rx_action+0x256/0x330\\n[  844.003705]  __do_softirq+0xb3/0x29b\\n[  844.006718]  irq_exit_rcu+0x9e/0xc0\\n[  844.009672]  common_interrupt+0x86/0xa0\\n[  844.012537]  \u003c/IRQ\u003e\\n[  844.015285]  \u003cTASK\u003e\\n[  844.017937]  asm_common_interrupt+0x26/0x40\\n[  844.020591] RIP: 0010:acpi_safe_halt+0x1b/0x20\\n[  844.023247] Code: ff 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 65 48 8b 04 25 00 18 03 00 48 8b 00 a8 08 75 0c 66 90 0f 00 2d 81 d0 44 00 fb\\n---truncated---\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.15.148\", \"versionStartIncluding\": \"5.3\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.1.75\", \"versionStartIncluding\": \"5.3\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.6.14\", \"versionStartIncluding\": \"5.3\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.7.2\", \"versionStartIncluding\": \"5.3\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.8\", \"versionStartIncluding\": \"5.3\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-05-04T07:39:49.706Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-52610\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-04T07:39:49.706Z\", \"dateReserved\": \"2024-03-06T09:52:12.088Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-03-18T10:07:46.065Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.