2396130 – (CVE-2023-53365) CVE-2023-53365 kernel: ip6mr: Fix skb_under_panic in ip6mr_cache_report()

Bug 2396130 (CVE-2023-53365) - CVE-2023-53365 kernel: ip6mr: Fix skb_under_panic in ip6mr_cache_report()

Summary: CVE-2023-53365 kernel: ip6mr: Fix skb_under_panic in ip6mr_cache_report()

Keywords:
Status:	NEW
Alias:	CVE-2023-53365
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-09-17 15:03 UTC by OSIDB Bzimport
Modified:	2025-11-25 18:13 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2025:22006	None	None	None	2025-11-25 00:37:26 UTC
Red Hat Product Errata	RHSA-2025:22066	None	None	None	2025-11-25 10:35:26 UTC
Red Hat Product Errata	RHSA-2025:22072	None	None	None	2025-11-25 12:31:22 UTC
Red Hat Product Errata	RHSA-2025:22087	None	None	None	2025-11-25 16:04:58 UTC
Red Hat Product Errata	RHSA-2025:22095	None	None	None	2025-11-25 17:16:12 UTC
Red Hat Product Errata	RHSA-2025:22124	None	None	None	2025-11-25 18:13:55 UTC

Description OSIDB Bzimport 2025-09-17 15:03:07 UTC

In the Linux kernel, the following vulnerability has been resolved:

ip6mr: Fix skb_under_panic in ip6mr_cache_report()

skbuff: skb_under_panic: text:ffffffff88771f69 len:56 put:-4
 head:ffff88805f86a800 data:ffff887f5f86a850 tail:0x88 end:0x2c0 dev:pim6reg
 ------------[ cut here ]------------
 kernel BUG at net/core/skbuff.c:192!
 invalid opcode: 0000 [#1] PREEMPT SMP KASAN
 CPU: 2 PID: 22968 Comm: kworker/2:11 Not tainted 6.5.0-rc3-00044-g0a8db05b571a #236
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
 Workqueue: ipv6_addrconf addrconf_dad_work
 RIP: 0010:skb_panic+0x152/0x1d0
 Call Trace:
  <TASK>
  skb_push+0xc4/0xe0
  ip6mr_cache_report+0xd69/0x19b0
  reg_vif_xmit+0x406/0x690
  dev_hard_start_xmit+0x17e/0x6e0
  __dev_queue_xmit+0x2d6a/0x3d20
  vlan_dev_hard_start_xmit+0x3ab/0x5c0
  dev_hard_start_xmit+0x17e/0x6e0
  __dev_queue_xmit+0x2d6a/0x3d20
  neigh_connected_output+0x3ed/0x570
  ip6_finish_output2+0x5b5/0x1950
  ip6_finish_output+0x693/0x11c0
  ip6_output+0x24b/0x880
  NF_HOOK.constprop.0+0xfd/0x530
  ndisc_send_skb+0x9db/0x1400
  ndisc_send_rs+0x12a/0x6c0
  addrconf_dad_completed+0x3c9/0xea0
  addrconf_dad_work+0x849/0x1420
  process_one_work+0xa22/0x16e0
  worker_thread+0x679/0x10c0
  ret_from_fork+0x28/0x60
  ret_from_fork_asm+0x11/0x20

When setup a vlan device on dev pim6reg, DAD ns packet may sent on reg_vif_xmit().
reg_vif_xmit()
    ip6mr_cache_report()
        skb_push(skb, -skb_network_offset(pkt));//skb_network_offset(pkt) is 4
And skb_push declared as:
	void *skb_push(struct sk_buff *skb, unsigned int len);
		skb->data -= len;
		//0xffff88805f86a84c - 0xfffffffc = 0xffff887f5f86a850
skb->data is set to 0xffff887f5f86a850, which is invalid mem addr, lead to skb_push() fails.

Comment 1 Jon Moroney 2025-09-17 18:15:17 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025091723-CVE-2023-53365-acb1@gregkh/T

Comment 5 errata-xmlrpc 2025-11-25 00:37:25 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2025:22006 https://access.redhat.com/errata/RHSA-2025:22006

Comment 6 errata-xmlrpc 2025-11-25 10:35:25 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:22066 https://access.redhat.com/errata/RHSA-2025:22066

Comment 7 errata-xmlrpc 2025-11-25 12:31:20 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2025:22072 https://access.redhat.com/errata/RHSA-2025:22072

Comment 8 errata-xmlrpc 2025-11-25 16:04:56 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:22087 https://access.redhat.com/errata/RHSA-2025:22087

Comment 9 errata-xmlrpc 2025-11-25 17:16:11 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:22095 https://access.redhat.com/errata/RHSA-2025:22095

Comment 10 errata-xmlrpc 2025-11-25 18:13:54 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:22124 https://access.redhat.com/errata/RHSA-2025:22124

Note You need to log in before you can comment on or make changes to this bug.