{
  "threat_severity" : "Moderate",
  "public_date" : "2025-12-08T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: Linux kernel: Denial of Service via integer overflow in kmalloc_reserve()",
    "id" : "2419915",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2419915"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-190",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet: deal with integer overflows in kmalloc_reserve()\nBlamed commit changed:\nptr = kmalloc(size);\nif (ptr)\nsize = ksize(ptr);\nsize = kmalloc_size_roundup(size);\nptr = kmalloc(size);\nThis allowed various crash as reported by syzbot [1]\nand Kyle Zeng.\nProblem is that if @size is bigger than 0x80000001,\nkmalloc_size_roundup(size) returns 2^32.\nkmalloc_reserve() uses a 32bit variable (obj_size),\nso 2^32 is truncated to 0.\nkmalloc(0) returns ZERO_SIZE_PTR which is not handled by\nskb allocations.\nFollowing trace can be triggered if a netdev->mtu is set\nclose to 0x7fffffff\nWe might in the future limit netdev->mtu to more sensible\nlimit (like KMALLOC_MAX_SIZE).\nThis patch is based on a syzbot report, and also a report\nand tentative fix from Kyle Zeng.\n[1]\nBUG: KASAN: user-memory-access in __build_skb_around net/core/skbuff.c:294 [inline]\nBUG: KASAN: user-memory-access in __alloc_skb+0x3c4/0x6e8 net/core/skbuff.c:527\nWrite of size 32 at addr 00000000fffffd10 by task syz-executor.4/22554\nCPU: 1 PID: 22554 Comm: syz-executor.4 Not tainted 6.1.39-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023\nCall trace:\ndump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:279\nshow_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:286\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0x120/0x1a0 lib/dump_stack.c:106\nprint_report+0xe4/0x4b4 mm/kasan/report.c:398\nkasan_report+0x150/0x1ac mm/kasan/report.c:495\nkasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189\nmemset+0x40/0x70 mm/kasan/shadow.c:44\n__build_skb_around net/core/skbuff.c:294 [inline]\n__alloc_skb+0x3c4/0x6e8 net/core/skbuff.c:527\nalloc_skb include/linux/skbuff.h:1316 [inline]\nigmpv3_newpack+0x104/0x1088 net/ipv4/igmp.c:359\nadd_grec+0x81c/0x1124 net/ipv4/igmp.c:534\nigmpv3_send_cr net/ipv4/igmp.c:667 [inline]\nigmp_ifc_timer_expire+0x1b0/0x1008 net/ipv4/igmp.c:810\ncall_timer_fn+0x1c0/0x9f0 kernel/time/timer.c:1474\nexpire_timers kernel/time/timer.c:1519 [inline]\n__run_timers+0x54c/0x710 kernel/time/timer.c:1790\nrun_timer_softirq+0x28/0x4c kernel/time/timer.c:1803\n_stext+0x380/0xfbc\n____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:79\ncall_on_irq_stack+0x24/0x4c arch/arm64/kernel/entry.S:891\ndo_softirq_own_stack+0x20/0x2c arch/arm64/kernel/irq.c:84\ninvoke_softirq kernel/softirq.c:437 [inline]\n__irq_exit_rcu+0x1c0/0x4cc kernel/softirq.c:683\nirq_exit_rcu+0x14/0x78 kernel/softirq.c:695\nel0_interrupt+0x7c/0x2e0 arch/arm64/kernel/entry-common.c:717\n__el0_irq_handler_common+0x18/0x24 arch/arm64/kernel/entry-common.c:724\nel0t_64_irq_handler+0x10/0x1c arch/arm64/kernel/entry-common.c:729\nel0t_64_irq+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584", "A flaw was found in the Linux kernel's networking subsystem. A local attacker can exploit an integer overflow vulnerability in the `kmalloc_reserve()` function by manipulating network interface settings. This can cause the kernel to attempt a memory allocation with an incorrect size, leading to memory corruption and ultimately a system crash, resulting in a Denial of Service (DoS)." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-11-12T00:00:00Z",
    "advisory" : "RHSA-2024:9315",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-503.11.1.el9_5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-11-12T00:00:00Z",
    "advisory" : "RHSA-2024:9315",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-503.11.1.el9_5"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53752\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53752\nhttps://lore.kernel.org/linux-cve-announce/2025120843-CVE-2023-53752-339f@gregkh/T" ],
  "name" : "CVE-2023-53752",
  "csaw" : false
}