CVE-2023-53624 in Linux
Summary
by MITRE • 10/07/2025
In the Linux kernel, the following vulnerability has been resolved:
net/sched: sch_fq: fix integer overflow of "credit"
if sch_fq is configured with "initial quantum" having values greater than INT_MAX, the first assignment of "credit" does signed integer overflow to a very negative value. In this situation, the syzkaller script provided by Cristoph triggers the CPU soft-lockup warning even with few sockets. It's not an infinite loop, but "credit" wasn't probably meant to be minus 2Gb for each new flow. Capping "initial quantum" to INT_MAX proved to fix the issue.
v2: validation of "initial quantum" is done in fq_policy, instead of open coding in fq_change() _ suggested by Jakub Kicinski
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/20/2026
The vulnerability identified as CVE-2023-53624 resides within the Linux kernel's traffic control subsystem, specifically in the fq (fair queuing) scheduling class implementation. This flaw manifests as an integer overflow condition that occurs when the initial quantum parameter exceeds the maximum value representable by a signed 32-bit integer. The issue affects the network scheduling mechanism responsible for managing packet queuing and flow distribution across network interfaces. When system administrators configure the fq scheduler with initial quantum values greater than INT_MAX, the internal credit calculation undergoes unintended signed integer overflow, resulting in extremely negative credit values that can cause system instability. The vulnerability was discovered through systematic testing using syzkaller, a sophisticated fuzzing framework that revealed the problematic behavior even with minimal network load conditions.
The technical root cause of this vulnerability aligns with CWE-191, which describes integer underflow or wraparound conditions that occur when operations on signed integers produce results outside the representable range. The flaw specifically impacts the sch_fq implementation where the credit variable, intended to track available bandwidth for network flows, becomes corrupted due to the overflow. When the initial quantum parameter exceeds INT_MAX, the signed integer arithmetic produces a negative value close to -2 billion, which represents the overflow behavior of signed 32-bit integers. This corrupted credit value disrupts the fair queuing algorithm's ability to properly distribute network resources among competing flows, leading to potential system performance degradation and resource exhaustion scenarios.
The operational impact of this vulnerability extends beyond simple performance degradation to potentially destabilize system operations through CPU soft-lockup warnings. The system exhibits behavior consistent with ATT&CK technique T1499.004, which involves resource exhaustion attacks that can cause system instability and denial of service conditions. Even with minimal network activity involving only a few sockets, the overflow condition triggers kernel warnings indicating that the system has become unresponsive to CPU scheduling events. This represents a critical flaw because network scheduling is fundamental to system stability, and disruptions in this component can affect all network communications. The vulnerability demonstrates how seemingly benign configuration parameters can lead to catastrophic system behavior when not properly validated against integer limits.
The fix implemented for CVE-2023-53624 addresses the vulnerability by enforcing proper validation of the initial quantum parameter at the fq_policy level rather than within the fq_change() function. This approach ensures that all configuration inputs are properly constrained before they can be processed by the scheduling algorithm, preventing the overflow condition from occurring. The solution follows best practices for input validation and defensive programming as recommended by industry security standards. By capping the initial quantum value to INT_MAX, the implementation prevents the signed integer overflow from occurring while maintaining functional compatibility with existing network configurations. The fix also demonstrates proper software engineering practices by centralizing validation logic in the policy layer, making the system more maintainable and reducing the risk of similar vulnerabilities in related components. This remediation approach ensures that network scheduling remains stable and predictable under all reasonable configuration scenarios while preserving the intended functionality of the fair queuing mechanism.