CVE-2023-53559 in Linux
Summary
by MITRE • 10/04/2025
In the Linux kernel, the following vulnerability has been resolved:
ip_vti: fix potential slab-use-after-free in decode_session6
When ip_vti device is set to the qdisc of the sfb type, the cb field of the sent skb may be modified during enqueuing. Then, slab-use-after-free may occur when ip_vti device sends IPv6 packets. As commit f855691975bb ("xfrm6: Fix the nexthdr offset in _decode_session6.") showed, xfrm_decode_session was originally intended only for the receive path. IP6CB(skb)->nhoff is not set during transmission. Therefore, set the cb field in the skb to 0 before sending packets.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/02/2026
The vulnerability identified as CVE-2023-53559 represents a critical slab-use-after-free condition within the Linux kernel's ip_vti (IP over IP tunneling) implementation. This flaw specifically manifests when an ip_vti device is configured with the sfb (Stochastic Fairness Byte) queuing discipline, creating a scenario where memory corruption can occur during IPv6 packet transmission. The issue stems from improper handling of the control block field within socket buffer structures, fundamentally compromising system stability and security integrity.
The technical root cause of this vulnerability lies in the improper management of the skb (socket buffer) control block field during packet queuing operations. When packets are enqueued through the sfb qdisc, the cb field of the sent skb undergoes modification, creating a race condition where memory previously freed to the kernel's slab allocator may be accessed again. This occurs because the xfrm_decode_session function, which was originally designed for receive path operations, is inadvertently invoked during transmission. The commit referenced in the fix demonstrates that IP6CB(skb)->nhoff is not initialized during transmission, yet the code path attempts to manipulate control block data that should remain untouched during outbound packet processing.
This vulnerability directly maps to CWE-416, which addresses use-after-free conditions in software systems, and aligns with ATT&CK technique T1059.001 for command and scripting interpreter. The operational impact extends beyond simple system crashes, as attackers could potentially exploit this condition to execute arbitrary code within kernel space, leading to complete system compromise. The flaw affects systems running Linux kernel versions where ip_vti functionality is enabled and configured with sfb queuing discipline, making it particularly relevant for network infrastructure devices, firewalls, and systems handling substantial network traffic through tunneling mechanisms.
Mitigation strategies should prioritize immediate kernel updates to versions containing the patched commit that ensures the cb field is properly reset to zero before packet transmission. Network administrators should also implement monitoring for unusual packet queuing behavior and consider temporarily disabling ip_vti configurations when sfb queuing discipline is in use. Additionally, system hardening measures including kernel lockdown features and proper access controls around network configuration interfaces can reduce the attack surface. The fix specifically addresses the issue by ensuring proper initialization of the control block field prior to packet transmission, preventing the scenario where freed memory could be accessed again during the packet processing lifecycle.