CVE-2023-54094 in Linuxinfo

Summary

by MITRE • 12/24/2025

In the Linux kernel, the following vulnerability has been resolved:

net: prevent skb corruption on frag list segmentation

Ian reported several skb corruptions triggered by rx-gro-list, collecting different oops alike:

[ 62.624003] BUG: kernel NULL pointer dereference, address: 00000000000000c0
[ 62.631083] #PF: supervisor read access in kernel mode
[ 62.636312] #PF: error_code(0x0000) - not-present page
[ 62.641541] PGD 0 P4D 0
[ 62.644174] Oops: 0000 [#1] PREEMPT SMP NOPTI
[ 62.648629] CPU: 1 PID: 913 Comm: napi/eno2-79 Not tainted 6.4.0 #364
[ 62.655162] Hardware name: Supermicro Super Server/A2SDi-12C-HLN4F, BIOS 1.7a 10/13/2022
[ 62.663344] RIP: 0010:__udp_gso_segment (./include/linux/skbuff.h:2858
./include/linux/udp.h:23 net/ipv4/udp_offload.c:228 net/ipv4/udp_offload.c:261 net/ipv4/udp_offload.c:277) [ 62.687193] RSP: 0018:ffffbd3a83b4f868 EFLAGS: 00010246
[ 62.692515] RAX: 00000000000000ce RBX: 0000000000000000 RCX: 0000000000000000
[ 62.699743] RDX: ffffa124def8a000 RSI: 0000000000000079 RDI: ffffa125952a14d4
[ 62.706970] RBP: ffffa124def8a000 R08: 0000000000000022 R09: 00002000001558c9
[ 62.714199] R10: 0000000000000000 R11: 00000000be554639 R12: 00000000000000e2
[ 62.721426] R13: ffffa125952a1400 R14: ffffa125952a1400 R15: 00002000001558c9
[ 62.728654] FS: 0000000000000000(0000) GS:ffffa127efa40000(0000)
knlGS:0000000000000000 [ 62.736852] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 62.742702] CR2: 00000000000000c0 CR3: 00000001034b0000 CR4: 00000000003526e0
[ 62.749948] Call Trace:
[ 62.752498] <TASK>
[ 62.779267] inet_gso_segment (net/ipv4/af_inet.c:1398)
[ 62.787605] skb_mac_gso_segment (net/core/gro.c:141)
[ 62.791906] __skb_gso_segment (net/core/dev.c:3403 (discriminator 2))
[ 62.800492] validate_xmit_skb (./include/linux/netdevice.h:4862
net/core/dev.c:3659) [ 62.804695] validate_xmit_skb_list (net/core/dev.c:3710)
[ 62.809158] sch_direct_xmit (net/sched/sch_generic.c:330)
[ 62.813198] __dev_queue_xmit (net/core/dev.c:3805 net/core/dev.c:4210)
net/netfilter/core.c:626) [ 62.821093] br_dev_queue_push_xmit (net/bridge/br_forward.c:55)
[ 62.825652] maybe_deliver (net/bridge/br_forward.c:193)
[ 62.829420] br_flood (net/bridge/br_forward.c:233)
[ 62.832758] br_handle_frame_finish (net/bridge/br_input.c:215)
[ 62.837403] br_handle_frame (net/bridge/br_input.c:298
net/bridge/br_input.c:416) [ 62.851417] __netif_receive_skb_core.constprop.0 (net/core/dev.c:5387)
[ 62.866114] __netif_receive_skb_list_core (net/core/dev.c:5570)
[ 62.871367] netif_receive_skb_list_internal (net/core/dev.c:5638
net/core/dev.c:5727) [ 62.876795] napi_complete_done (./include/linux/list.h:37
./include/net/gro.h:434 ./include/net/gro.h:429 net/core/dev.c:6067) [ 62.881004] ixgbe_poll (drivers/net/ethernet/intel/ixgbe/ixgbe_main.c:3191)
[ 62.893534] __napi_poll (net/core/dev.c:6498)
[ 62.897133] napi_threaded_poll (./include/linux/netpoll.h:89
net/core/dev.c:6640) [ 62.905276] kthread (kernel/kthread.c:379)
[ 62.913435] ret_from_fork (arch/x86/entry/entry_64.S:314)
[ 62.917119] </TASK>

In the critical scenario, rx-gro-list GRO-ed packets are fed, via a bridge, both to the local input path and to an egress device (tun).

The segmentation of such packets unsafely writes to the cloned skbs with shared heads.

This change addresses the issue by uncloning as needed the to-be-segmented skbs.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 01/03/2026

The vulnerability described in CVE-2023-54094 affects the Linux kernel's network stack and specifically targets the handling of Generic Receive Offload (GRO) list segmentation within the networking subsystem. This flaw manifests as a kernel NULL pointer dereference when processing fragmented packets that have been aggregated through GRO and subsequently processed by the network bridge. The issue occurs during the segmentation of packets that are part of a GRO list, particularly when these packets are destined for both local input processing and egress through a tunnel device. The underlying problem stems from unsafe write operations performed on cloned socket buffer (skb) structures that share memory heads, leading to memory corruption and potential system instability.

The technical root cause lies in the improper handling of socket buffer structures during the segmentation process. When packets are received via GRO and then processed through a network bridge, the kernel attempts to segment these packets for further transmission. However, the implementation fails to properly unclone skbs that are shared between multiple packet processing paths. This results in concurrent access to shared memory regions without proper synchronization, causing memory corruption when the segmentation code attempts to modify data within these shared buffer heads. The error trace demonstrates execution flow through multiple kernel networking components including UDP GSO segmentation, GRO handling, and packet validation routines, ultimately failing during the packet transmission phase. The vulnerability is classified as a memory safety issue that can lead to kernel oops and system crashes, with the specific error code indicating a page fault at address 0x00000000000000c0, suggesting corrupted memory structures.

The operational impact of this vulnerability is significant for systems utilizing network bridging and packet segmentation features. Systems that process high volumes of network traffic through bridges and tunnel devices are particularly at risk, as the vulnerability can be triggered by normal network operations involving GRO-listed packets. Attackers could potentially exploit this flaw to cause denial of service conditions by crafting specific network traffic patterns that trigger the memory corruption, leading to kernel panics and system reboots. The vulnerability affects kernel versions prior to the fix, making it a critical concern for production systems running Linux kernel versions where this patch has not been applied. The flaw is particularly dangerous in virtualized environments or network infrastructure devices where bridging and tunneling are common operations.

Mitigation strategies for this vulnerability involve applying the kernel patch that implements proper skb uncloning before segmentation operations, ensuring that each packet processing path operates on independent memory structures rather than shared ones. System administrators should prioritize updating their kernel versions to include the fix for CVE-2023-54094, particularly in production environments where network bridging and tunneling are active. Additionally, monitoring network traffic patterns for unusual GRO-list behavior and implementing proper kernel security hardening measures can help detect potential exploitation attempts. The fix aligns with common security practices for preventing memory corruption vulnerabilities and follows principles outlined in the CWE-121 standard for buffer overflow conditions. This vulnerability also relates to ATT&CK technique T1059.001 for command and control through kernel-level exploitation, though the primary risk is system stability rather than direct privilege escalation. Organizations should also consider implementing network segmentation and monitoring to limit the potential impact of such kernel-level vulnerabilities in their infrastructure.

Responsible

Linux

Reservation

12/24/2025

Disclosure

12/24/2025

Moderation

accepted

CPE

ready

EPSS

0.00168

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!