CVE-2023-53354

MEDIUM 5.5

skbuff: skb_segment, Call zero copy functions before using skbuff frags

CVSS Score

5.5

EPSS Score

0.0%

EPSS Percentile

0th

In the Linux kernel, the following vulnerability has been resolved: skbuff: skb_segment, Call zero copy functions before using skbuff frags Commit bf5c25d60861 ("skbuff: in skb_segment, call zerocopy functions once per nskb") added the call to zero copy functions in skb_segment(). The change introduced a bug in skb_segment() because skb_orphan_frags() may possibly change the number of fragments or allocate new fragments altogether leaving nrfrags and frag to point to the old values. This can cause a panic with stacktrace like the one below. [ 193.894380] BUG: kernel NULL pointer dereference, address: 00000000000000bc [ 193.895273] CPU: 13 PID: 18164 Comm: vh-net-17428 Kdump: loaded Tainted: G O 5.15.123+ #26 [ 193.903919] RIP: 0010:skb_segment+0xb0e/0x12f0 [ 194.021892] Call Trace: [ 194.027422] <TASK> [ 194.072861] tcp_gso_segment+0x107/0x540 [ 194.082031] inet_gso_segment+0x15c/0x3d0 [ 194.090783] skb_mac_gso_segment+0x9f/0x110 [ 194.095016] __skb_gso_segment+0xc1/0x190 [ 194.103131] netem_enqueue+0x290/0xb10 [sch_netem] [ 194.107071] dev_qdisc_enqueue+0x16/0x70 [ 194.110884] __dev_queue_xmit+0x63b/0xb30 [ 194.121670] bond_start_xmit+0x159/0x380 [bonding] [ 194.128506] dev_hard_start_xmit+0xc3/0x1e0 [ 194.131787] __dev_queue_xmit+0x8a0/0xb30 [ 194.138225] macvlan_start_xmit+0x4f/0x100 [macvlan] [ 194.141477] dev_hard_start_xmit+0xc3/0x1e0 [ 194.144622] sch_direct_xmit+0xe3/0x280 [ 194.147748] __dev_queue_xmit+0x54a/0xb30 [ 194.154131] tap_get_user+0x2a8/0x9c0 [tap] [ 194.157358] tap_sendmsg+0x52/0x8e0 [tap] [ 194.167049] handle_tx_zerocopy+0x14e/0x4c0 [vhost_net] [ 194.173631] handle_tx+0xcd/0xe0 [vhost_net] [ 194.176959] vhost_worker+0x76/0xb0 [vhost] [ 194.183667] kthread+0x118/0x140 [ 194.190358] ret_from_fork+0x1f/0x30 [ 194.193670] </TASK> In this case calling skb_orphan_frags() updated nr_frags leaving nrfrags local variable in skb_segment() stale. This resulted in the code hitting i >= nrfrags prematurely and trying to move to next frag_skb using list_skb pointer, which was NULL, and caused kernel panic. Move the call to zero copy functions before using frags and nr_frags.

Vendor	linux
Product	linux
Ecosystems	Linux Kernel
Industries	Technology
Published	Sep 17, 2025
Last Updated	May 11, 2026

Stay Ahead of the Next One

Get instant alerts for linux linux

Be the first to know when new medium vulnerabilities affecting linux linux are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Linux / Linux

bf5c25d608613eaf4dcdba5a9cac5b2afe67d635 < fcab3f661dbfd88e27ddbbe65368f3fa2d823175 bf5c25d608613eaf4dcdba5a9cac5b2afe67d635 < d44403ec0676317b7f7edf2a035bb219fee3304e bf5c25d608613eaf4dcdba5a9cac5b2afe67d635 < 8836c266201c29a5acb4f582227686f47b65ad61 bf5c25d608613eaf4dcdba5a9cac5b2afe67d635 < d5790386595d06ea9decfd9ba5f1ea48cf09aa02 bf5c25d608613eaf4dcdba5a9cac5b2afe67d635 < 04c3eee4e13f60bf6f9a366ad39f88a01a57166e bf5c25d608613eaf4dcdba5a9cac5b2afe67d635 < f99006e840a4dbc8f5a34cecc6b5b26c73ef49bb bf5c25d608613eaf4dcdba5a9cac5b2afe67d635 < 6c26ed3c6abe86ddab0510529000b970b05c9b40 bf5c25d608613eaf4dcdba5a9cac5b2afe67d635 < 2ea35288c83b3d501a88bc17f2df8f176b5cc96f

Linux / Linux

4.16

References

NVD ↗ CVE.org ↗ EPSS Data ↗