CVE-2023-53240 in Linux
Summary
by MITRE • 09/15/2025
In the Linux kernel, the following vulnerability has been resolved:
xsk: check IFF_UP earlier in Tx path
Xsk Tx can be triggered via either sendmsg() or poll() syscalls. These two paths share a call to common function xsk_xmit() which has two sanity checks within. A pseudo code example to show the two paths:
__xsk_sendmsg() : xsk_poll(): if (unlikely(!xsk_is_bound(xs))) if (unlikely(!xsk_is_bound(xs))) return -ENXIO; return mask; if (unlikely(need_wait)) (...) return -EOPNOTSUPP; xsk_xmit() mark napi id (...) xsk_xmit()
xsk_xmit(): if (unlikely(!(xs->dev->flags & IFF_UP))) return -ENETDOWN; if (unlikely(!xs->tx)) return -ENOBUFS;
As it can be observed above, in sendmsg() napi id can be marked on interface that was not brought up and this causes a NULL ptr dereference:
[31757.505631] BUG: kernel NULL pointer dereference, address: 0000000000000018
[31757.512710] #PF: supervisor read access in kernel mode
[31757.517936] #PF: error_code(0x0000) - not-present page
[31757.523149] PGD 0 P4D 0
[31757.525726] Oops: 0000 [#1] PREEMPT SMP NOPTI
[31757.530154] CPU: 26 PID: 95641 Comm: xdpsock Not tainted 6.2.0-rc5+ #40
[31757.536871] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019
[31757.547457] RIP: 0010:xsk_sendmsg+0xde/0x180
[31757.551799] Code: 00 75 a2 48 8b 00 a8 04 75 9b 84 d2 74 69 8b 85 14 01 00 00 85 c0 75 1b 48 8b 85 28 03 00 00 48 8b 80 98 00 00 00 48 8b 40 20 <8b> 40 18 89 85 14 01 00 00 8b bd 14 01 00 00 81 ff 00 01 00 00 0f
[31757.570840] RSP: 0018:ffffc90034f27dc0 EFLAGS: 00010246
[31757.576143] RAX: 0000000000000000 RBX: ffffc90034f27e18 RCX: 0000000000000000
[31757.583389] RDX: 0000000000000001 RSI: ffffc90034f27e18 RDI: ffff88984cf3c100
[31757.590631] RBP: ffff88984714a800 R08: ffff88984714a800 R09: 0000000000000000
[31757.597877] R10: 0000000000000001 R11: 0000000000000000 R12: 00000000fffffffa
[31757.605123] R13: 0000000000000000 R14: 0000000000000003 R15: 0000000000000000
[31757.612364] FS: 00007fb4c5931180(0000) GS:ffff88afdfa00000(0000) knlGS:0000000000000000
[31757.620571] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[31757.626406] CR2: 0000000000000018 CR3: 000000184b41c003 CR4: 00000000007706e0
[31757.633648] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[31757.640894] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[31757.648139] PKRU: 55555554
[31757.650894] Call Trace:
[31757.653385] <TASK>
[31757.655524] sock_sendmsg+0x8f/0xa0
[31757.659077] ? sockfd_lookup_light+0x12/0x70
[31757.663416] __sys_sendto+0xfc/0x170
[31757.667051] ? do_sched_setscheduler+0xdb/0x1b0
[31757.671658] __x64_sys_sendto+0x20/0x30
[31757.675557] do_syscall_64+0x38/0x90
[31757.679197] entry_SYSCALL_64_after_hwframe+0x72/0xdc
[31757.687969] Code: 8e f6 ff 44 8b 4c 24 2c 4c 8b 44 24 20 41 89 c4 44 8b 54 24 28 48 8b 54 24 18 b8 2c 00 00 00 48 8b 74 24 10 8b 7c 24 08 0f 05 <48> 3d 00 f0 ff ff 77 3a 44 89 e7 48 89 44 24 08 e8 b5 8e f6 ff 48
[31757.707007] RSP: 002b:00007ffd49c73c70 EFLAGS: 00000293 ORIG_RAX: 000000000000002c
[31757.714694] RAX: ffffffffffffffda RBX: 000055a996565380 RCX: 00007fb4c5727c16
[31757.721939] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
[31757.729184] RBP: 0000000000000040 R08: 0000000000000000 R09: 0000000000000000
[31757.736429] R10: 0000000000000040 R11: 0000000000000293 R12: 0000000000000000
[31757.743673] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[31757.754940] </TASK>
To fix this, let's make xsk_xmit a function that will be responsible for generic Tx, where RCU is handled accordingly and pull out sanity checks and xs->zc handling. Populate sanity checks to __xsk_sendmsg() and xsk_poll().
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/28/2026
The vulnerability identified as CVE-2023-53240 resides within the Linux kernel's eXpress Data Path (XDP) subsystem, specifically affecting the XDP socket (xsk) transmit functionality. This flaw manifests as a kernel NULL pointer dereference that occurs when XDP sockets attempt to transmit data through either the sendmsg() or poll() system calls. The core issue stems from an inconsistent handling of interface state checks between these two code paths, creating a window where a socket can be marked for NAPI processing on an interface that has not yet been brought up with the IFF_UP flag. According to the Common Weakness Enumeration framework, this vulnerability maps to CWE-476, which describes NULL pointer dereference, and more specifically aligns with CWE-843, improper access to a resource through a race condition, due to the timing gap in state validation.
The technical implementation reveals that both sendmsg() and poll() system calls invoke the shared xsk_xmit() function, which contains crucial sanity checks for interface state and transmit buffer availability. However, the sendmsg() path executes a critical check for interface state within xsk_xmit() only after potentially marking the NAPI identifier, while the poll() path bypasses this check entirely. This inconsistency leads to a scenario where xsk_xmit() attempts to dereference a NULL pointer when accessing the device flags field, as evidenced by the kernel oops trace showing RIP at xsk_sendmsg+0xde with a memory access violation at address 0x18, which corresponds to the device flags field in the kernel memory layout. The kernel crash report indicates that the error occurs during a supervisor read access, demonstrating that the vulnerability can be exploited to cause a kernel panic, which represents a critical denial-of-service condition with potential for privilege escalation.
The operational impact of this vulnerability extends beyond simple service disruption, as it can be leveraged to cause system instability and potential privilege escalation. The flaw exists in the kernel's network stack handling of XDP sockets, which are commonly used in high-performance networking applications such as network function virtualization, software-defined networking, and high-speed packet processing systems. Attackers could potentially exploit this vulnerability by creating XDP sockets on down interfaces and then triggering the sendmsg() system call, which would result in an immediate kernel crash. This represents a significant concern for systems running kernel versions containing this flaw, particularly in environments where XDP sockets are heavily utilized for packet processing, as it could lead to complete system unavailability.
The fix implemented for CVE-2023-53240 addresses the root cause by restructuring the transmit path to ensure proper state validation occurs before any potentially dangerous operations. The solution involves modifying the xsk_xmit() function to become a dedicated generic transmit handler that properly manages RCU (Read-Copy-Update) synchronization and removes the interface state checks from this function. The sanity checks and xs->zc handling are moved to their respective calling functions, __xsk_sendmsg() and xsk_poll(), ensuring that both paths validate interface state before proceeding with any operations that might result in a NULL pointer dereference. This approach aligns with the ATT&CK framework's technique T1068, which involves exploiting vulnerabilities in kernel-mode software, but in this case, the fix represents a defensive measure that prevents the exploitation path rather than being an attack vector itself. The mitigation strategy follows best practices for kernel security by implementing proper input validation and state management, reducing the attack surface and ensuring that kernel memory operations are only performed on properly initialized and validated resources.