{ "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2023-53726", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-10-22T13:21:37.348Z", "datePublished": "2025-10-22T13:23:55.896Z", "dateUpdated": "2026-05-11T19:50:40.119Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T19:50:40.119Z" }, "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: csum: Fix OoB access in IP checksum code for negative lengths\n\nAlthough commit c2c24edb1d9c (\"arm64: csum: Fix pathological zero-length\ncalls\") added an early return for zero-length input, syzkaller has\npopped up with an example of a _negative_ length which causes an\nundefined shift and an out-of-bounds read:\n\n | BUG: KASAN: slab-out-of-bounds in do_csum+0x44/0x254 arch/arm64/lib/csum.c:39\n | Read of size 4294966928 at addr ffff0000d7ac0170 by task syz-executor412/5975\n |\n | CPU: 0 PID: 5975 Comm: syz-executor412 Not tainted 6.4.0-rc4-syzkaller-g908f31f2a05b #0\n | Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023\n | Call trace:\n | dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:233\n | show_stack+0x2c/0x44 arch/arm64/kernel/stacktrace.c:240\n | __dump_stack lib/dump_stack.c:88 [inline]\n | dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106\n | print_address_description mm/kasan/report.c:351 [inline]\n | print_report+0x174/0x514 mm/kasan/report.c:462\n | kasan_report+0xd4/0x130 mm/kasan/report.c:572\n | kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:187\n | __kasan_check_read+0x20/0x30 mm/kasan/shadow.c:31\n | do_csum+0x44/0x254 arch/arm64/lib/csum.c:39\n | csum_partial+0x30/0x58 lib/checksum.c:128\n | gso_make_checksum include/linux/skbuff.h:4928 [inline]\n | __udp_gso_segment+0xaf4/0x1bc4 net/ipv4/udp_offload.c:332\n | udp6_ufo_fragment+0x540/0xca0 net/ipv6/udp_offload.c:47\n | ipv6_gso_segment+0x5cc/0x1760 net/ipv6/ip6_offload.c:119\n | skb_mac_gso_segment+0x2b4/0x5b0 net/core/gro.c:141\n | __skb_gso_segment+0x250/0x3d0 net/core/dev.c:3401\n | skb_gso_segment include/linux/netdevice.h:4859 [inline]\n | validate_xmit_skb+0x364/0xdbc net/core/dev.c:3659\n | validate_xmit_skb_list+0x94/0x130 net/core/dev.c:3709\n | sch_direct_xmit+0xe8/0x548 net/sched/sch_generic.c:327\n | __dev_xmit_skb net/core/dev.c:3805 [inline]\n | __dev_queue_xmit+0x147c/0x3318 net/core/dev.c:4210\n | dev_queue_xmit include/linux/netdevice.h:3085 [inline]\n | packet_xmit+0x6c/0x318 net/packet/af_packet.c:276\n | packet_snd net/packet/af_packet.c:3081 [inline]\n | packet_sendmsg+0x376c/0x4c98 net/packet/af_packet.c:3113\n | sock_sendmsg_nosec net/socket.c:724 [inline]\n | sock_sendmsg net/socket.c:747 [inline]\n | __sys_sendto+0x3b4/0x538 net/socket.c:2144\n\nExtend the early return to reject negative lengths as well, aligning our\nimplementation with the generic code in lib/checksum.c" } ], "affected": [ { "product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "arch/arm64/lib/csum.c" ], "versions": [ { "version": "5777eaed566a1d63e344d3dd8f2b5e33be20643e", "lessThan": "5a85727239a23de1cc8d93985f1056308128f3e2", "status": "affected", "versionType": "git" }, { "version": "5777eaed566a1d63e344d3dd8f2b5e33be20643e", "lessThan": "9a43563cfd6b9200ff2f76b3f9fcdcb217ceb523", "status": "affected", "versionType": "git" }, { "version": "5777eaed566a1d63e344d3dd8f2b5e33be20643e", "lessThan": "ba0b46166b8e547024d02345a68b747841931ad2", "status": "affected", "versionType": "git" }, { "version": "5777eaed566a1d63e344d3dd8f2b5e33be20643e", "lessThan": "a5ad2f87d8e74e351d3f500ad9d5b3a5653e1c6f", "status": "affected", "versionType": "git" }, { "version": "5777eaed566a1d63e344d3dd8f2b5e33be20643e", "lessThan": "fcdf904e866de0e3715835e50409fda3b2590527", "status": "affected", "versionType": "git" }, { "version": "5777eaed566a1d63e344d3dd8f2b5e33be20643e", "lessThan": "8bd795fedb8450ecbef18eeadbd23ed8fc7630f5", "status": "affected", "versionType": "git" } ] }, { "product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "arch/arm64/lib/csum.c" ], "versions": [ { "version": "5.6", "status": "affected" }, { "version": "0", "lessThan": "5.6", "status": "unaffected", "versionType": "semver" }, { "version": "5.10.195", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver" }, { "version": "5.15.132", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.1.53", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.4.16", "lessThanOrEqual": "6.4.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.5.3", "lessThanOrEqual": "6.5.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.6", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6", "versionEndExcluding": "5.10.195" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6", "versionEndExcluding": "5.15.132" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6", "versionEndExcluding": "6.1.53" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6", "versionEndExcluding": "6.4.16" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6", "versionEndExcluding": "6.5.3" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6", "versionEndExcluding": "6.6" } ] } ] } ], "references": [ { "url": "https://git.kernel.org/stable/c/5a85727239a23de1cc8d93985f1056308128f3e2" }, { "url": "https://git.kernel.org/stable/c/9a43563cfd6b9200ff2f76b3f9fcdcb217ceb523" }, { "url": "https://git.kernel.org/stable/c/ba0b46166b8e547024d02345a68b747841931ad2" }, { "url": "https://git.kernel.org/stable/c/a5ad2f87d8e74e351d3f500ad9d5b3a5653e1c6f" }, { "url": "https://git.kernel.org/stable/c/fcdf904e866de0e3715835e50409fda3b2590527" }, { "url": "https://git.kernel.org/stable/c/8bd795fedb8450ecbef18eeadbd23ed8fc7630f5" } ], "title": "arm64: csum: Fix OoB access in IP checksum code for negative lengths", "x_generator": { "engine": "bippy-1.2.0" } } } }