CVE-2023-53669

MEDIUM

Linux Kernel - Use-After-Free in skb_copy_ubufs() via BIG TCP

Title source: llm

Description

In the Linux kernel, the following vulnerability has been resolved: tcp: fix skb_copy_ubufs() vs BIG TCP David Ahern reported crashes in skb_copy_ubufs() caused by TCP tx zerocopy using hugepages, and skb length bigger than ~68 KB. skb_copy_ubufs() assumed it could copy all payload using up to MAX_SKB_FRAGS order-0 pages. This assumption broke when BIG TCP was able to put up to 512 KB per skb. We did not hit this bug at Google because we use CONFIG_MAX_SKB_FRAGS=45 and limit gso_max_size to 180000. A solution is to use higher order pages if needed. v2: add missing __GFP_COMP, or we leak memory.

References (4)

Core 4

Core References

Patch

https://git.kernel.org/stable/c/7fa93e39fbb0566019c388a8038a4d58552e0910

Patch

https://git.kernel.org/stable/c/3c77a377877acbaf03cd7caa21d3644a5dd16301

Patch

https://git.kernel.org/stable/c/9cd62f0ba465cf647c7d8c2ca7b0d99ea0c1328f

Patch

https://git.kernel.org/stable/c/7e692df3933628d974acb9f5b334d2b3e885e2a6

Scores

CVSS v3 5.5

EPSS 0.0013

EPSS Percentile 3.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-401

Status published

Products (11)

Linux/Linux < 5.19

Linux/Linux 5.19

Linux/Linux 6.1.29 - 6.1.*

Linux/Linux 6.2.16 - 6.2.*

Linux/Linux 6.3.3 - 6.3.*

Linux/Linux 6.4

Linux/Linux 7c4e983c4f3cf94fcd879730c6caa877e0768a4d - 3c77a377877acbaf03cd7caa21d3644a5dd16301

Linux/Linux 7c4e983c4f3cf94fcd879730c6caa877e0768a4d - 7e692df3933628d974acb9f5b334d2b3e885e2a6

Linux/Linux 7c4e983c4f3cf94fcd879730c6caa877e0768a4d - 7fa93e39fbb0566019c388a8038a4d58552e0910

Linux/Linux 7c4e983c4f3cf94fcd879730c6caa877e0768a4d - 9cd62f0ba465cf647c7d8c2ca7b0d99ea0c1328f

... and 1 more

Published Oct 07, 2025

Tracked Since Feb 18, 2026