CVE-2023-53296

MEDIUM EPSS 3.5%
Published Sep 16, 20259mo ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Sep 16, 2025 9mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: sctp: check send stream number after wait_for_sndbuf This patch fixes a corner case where the asoc out stream count may change after wait_for_sndbuf. When the main thread in the client starts a connection, if its out stream count is set to N while the in stream count in the server is set to N - 2, another thread in the client keeps sending the msgs with stream number N - 1, and waits for sndbuf before processing INIT_ACK. However, after processing INIT_ACK, the out stream count in the client is shrunk to N - 2, the same to the in stream count in the server. The crash occurs when the thread waiting for sndbuf is awake and sends the msg in a non-existing stream(N - 1), the call trace is as below: KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f] Call Trace: <TASK> sctp_cmd_send_msg net/sctp/sm_sideeffect.c:1114 [inline] sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1777 [inline] sctp_side_effects net/sctp/sm_sideeffect.c:1199 [inline] sctp_do_sm+0x197d/0x5310 net/sctp/sm_sideeffect.c:1170 sctp_primitive_SEND+0x9f/0xc0 net/sctp/primitive.c:163 sctp_sendmsg_to_asoc+0x10eb/0x1a30 net/sctp/socket.c:1868 sctp_sendmsg+0x8d4/0x1d90 net/sctp/socket.c:2026 inet_sendmsg+0x9d/0xe0 net/ipv4/af_inet.c:825 sock_sendmsg_nosec net/socket.c:722 [inline] sock_sendmsg+0xde/0x190 net/socket.c:745 The fix is to add an unlikely check for the send stream number after the thread wakes up from the wait_for_sndbuf.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
3.5% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-476 NULL Pointer Dereference Memory Safety

Affected Products 11

VendorProductVersionRange
linuxlinux_kernel*≥4.15  –  <4.19.281
linuxlinux_kernel*≥4.20  –  <5.4.241
linuxlinux_kernel*≥5.5  –  <5.10.178
linuxlinux_kernel*≥5.11  –  <5.15.107
linuxlinux_kernel*≥5.16  –  <6.1.24
linuxlinux_kernel*≥6.2  –  <6.2.11
linuxlinux_kernel6.3any
linuxlinux_kernel6.3any
linuxlinux_kernel6.3any
linuxlinux_kernel6.3any
linuxlinux_kernel6.3any

References 7

  • git.kernel.org https://git.kernel.org/stable/c/0443fff49d6352160c200064156c25898bd9f58c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/2584024b23552c00d95b50255e47bd18d306d31a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/667eb99cf7c15fe5b0ecefe75cf658e20ef20c9f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9346a1a21142357972a6f466ba6275ddc54b04ac
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a615e7270318fa0b98bf1ff38daf6cf52d840312
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b4b6dfad41aaae9e36e44327b18d5cf4b20dd2ce
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d2128636b303aa9cf065055402ee6697409a8837
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/0443fff49d6352160c200064156c25898bd9f58c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/2584024b23552c00d95b50255e47bd18d306d31a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/667eb99cf7c15fe5b0ecefe75cf658e20ef20c9f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9346a1a21142357972a6f466ba6275ddc54b04ac
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a615e7270318fa0b98bf1ff38daf6cf52d840312
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b4b6dfad41aaae9e36e44327b18d5cf4b20dd2ce
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d2128636b303aa9cf065055402ee6697409a8837
    Patch