CVE-2023-53333

HIGH EPSS 3.6%
Published Sep 16, 20259mo ago · Modified Jun 17, 20261w ago
7.1 CVSS 3.1
High
Find Similar
Published Sep 16, 2025 9mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: conntrack: dccp: copy entire header to stack buffer, not just basic one Eric Dumazet says: nf_conntrack_dccp_packet() has an unique: dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh); And nothing more is 'pulled' from the packet, depending on the content. dh->dccph_doff, and/or dh->dccph_x ...) So dccp_ack_seq() is happily reading stuff past the _dh buffer. BUG: KASAN: stack-out-of-bounds in nf_conntrack_dccp_packet+0x1134/0x11c0 Read of size 4 at addr ffff000128f66e0c by task syz-executor.2/29371 [..] Fix this by increasing the stack buffer to also include room for the extra sequence numbers and all the known dccp packet type headers, then pull again after the initial validation of the basic header. While at it, mark packets invalid that lack 48bit sequence bit but where RFC says the type MUST use them. Compile tested only. v2: first skb_header_pointer() now needs to adjust the size to only pull the generic header. (Eric) Heads-up: I intend to remove dccp conntrack support later this year.

CVSS Details

Base Score
7.1
Exploitability
1.8
Impact
5.2
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
3.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-125 Out-of-bounds Read Memory Safety

Affected Products 6

VendorProductVersionRange
linuxlinux_kernel*≥2.6.26  –  <5.4.251
linuxlinux_kernel*≥5.5  –  <5.10.188
linuxlinux_kernel*≥5.11  –  <5.15.121
linuxlinux_kernel*≥5.16  –  <6.1.39
linuxlinux_kernel*≥6.2  –  <6.3.13
linuxlinux_kernel*≥6.4  –  <6.4.4

References 7

  • git.kernel.org https://git.kernel.org/stable/c/26bd1f210d3783a691052c51d76bb8a8bbd24c67
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/337fdce450637ea663bc816edc2ba81e5cdad02e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/5c618daa5038712c4a4ef8923905a2ea1b8836a1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8c0980493beed3a80d6329c44ab293dc8c032927
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9bdcda7abaf22f6453e5b5efb7eb4e524095d5d8
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c052797ac36813419ad3bfa54cb8615db4b41f15
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ff0a3a7d52ff7282dbd183e7fc29a1fe386b0c30
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/26bd1f210d3783a691052c51d76bb8a8bbd24c67
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/337fdce450637ea663bc816edc2ba81e5cdad02e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/5c618daa5038712c4a4ef8923905a2ea1b8836a1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8c0980493beed3a80d6329c44ab293dc8c032927
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9bdcda7abaf22f6453e5b5efb7eb4e524095d5d8
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c052797ac36813419ad3bfa54cb8615db4b41f15
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ff0a3a7d52ff7282dbd183e7fc29a1fe386b0c30
    Patch