NVD

CVE-2023-53489 Detail

Description

In the Linux kernel, the following vulnerability has been resolved: tcp/udp: Fix memleaks of sk and zerocopy skbs with TX timestamp. syzkaller reported [0] memory leaks of an UDP socket and ZEROCOPY skbs. We can reproduce the problem with these sequences: sk = socket(AF_INET, SOCK_DGRAM, 0) sk.setsockopt(SOL_SOCKET, SO_TIMESTAMPING, SOF_TIMESTAMPING_TX_SOFTWARE) sk.setsockopt(SOL_SOCKET, SO_ZEROCOPY, 1) sk.sendto(b'', MSG_ZEROCOPY, ('127.0.0.1', 53)) sk.close() sendmsg() calls msg_zerocopy_alloc(), which allocates a skb, sets skb->cb->ubuf.refcnt to 1, and calls sock_hold(). Here, struct ubuf_info_msgzc indirectly holds a refcnt of the socket. When the skb is sent, __skb_tstamp_tx() clones it and puts the clone into the socket's error queue with the TX timestamp. When the original skb is received locally, skb_copy_ubufs() calls skb_unclone(), and pskb_expand_head() increments skb->cb->ubuf.refcnt. This additional count is decremented while freeing the skb, but struct ubuf_info_msgzc still has a refcnt, so __msg_zerocopy_callback() is not called. The last refcnt is not released unless we retrieve the TX timestamped skb by recvmsg(). Since we clear the error queue in inet_sock_destruct() after the socket's refcnt reaches 0, there is a circular dependency. If we close() the socket holding such skbs, we never call sock_put() and leak the count, sk, and skb. TCP has the same problem, and commit e0c8bccd40fc ("net: stream: purge sk_error_queue in sk_stream_kill_queues()") tried to fix it by calling skb_queue_purge() during close(). However, there is a small chance that skb queued in a qdisc or device could be put into the error queue after the skb_queue_purge() call. In __skb_tstamp_tx(), the cloned skb should not have a reference to the ubuf to remove the circular dependency, but skb_clone() does not call skb_copy_ubufs() for zerocopy skb. So, we need to call skb_orphan_frags_rx() for the cloned skb to call skb_copy_ubufs(). [0]: BUG: memory leak unreferenced object 0xffff88800c6d2d00 (size 1152): comm "syz-executor392", pid 264, jiffies 4294785440 (age 13.044s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 cd af e8 81 00 00 00 00 ................ 02 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............ backtrace: [<0000000055636812>] sk_prot_alloc+0x64/0x2a0 net/core/sock.c:2024 [<0000000054d77b7a>] sk_alloc+0x3b/0x800 net/core/sock.c:2083 [<0000000066f3c7e0>] inet_create net/ipv4/af_inet.c:319 [inline] [<0000000066f3c7e0>] inet_create+0x31e/0xe40 net/ipv4/af_inet.c:245 [<000000009b83af97>] __sock_create+0x2ab/0x550 net/socket.c:1515 [<00000000b9b11231>] sock_create net/socket.c:1566 [inline] [<00000000b9b11231>] __sys_socket_create net/socket.c:1603 [inline] [<00000000b9b11231>] __sys_socket_create net/socket.c:1588 [inline] [<00000000b9b11231>] __sys_socket+0x138/0x250 net/socket.c:1636 [<000000004fb45142>] __do_sys_socket net/socket.c:1649 [inline] [<000000004fb45142>] __se_sys_socket net/socket.c:1647 [inline] [<000000004fb45142>] __x64_sys_socket+0x73/0xb0 net/socket.c:1647 [<0000000066999e0e>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<0000000066999e0e>] do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80 [<0000000017f238c1>] entry_SYSCALL_64_after_hwframe+0x63/0xcd BUG: memory leak unreferenced object 0xffff888017633a00 (size 240): comm "syz-executor392", pid 264, jiffies 4294785440 (age 13.044s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 2d 6d 0c 80 88 ff ff .........-m..... backtrace: [<000000002b1c4368>] __alloc_skb+0x229/0x320 net/core/skbuff.c:497 [<00000000143579a6>] alloc_skb include/linux/skbuff.h:1265 [inline] [<00000000143579a6>] sock_omalloc+0xaa/0x190 net/core/sock.c:2596 [<00000000be626478>] msg_zerocopy_alloc net/core/skbuff.c:1294 [inline] [<00000000be626478>] ---truncated---

Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST: NVD

N/A

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST: NVD

Base Score: 5.5 MEDIUM

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0 Severity and Vector Strings:

National Institute of Standards and Technology

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

URL	Source(s)	Tag(s)
https://git.kernel.org/stable/c/1f69c086b20e27763af28145981435423f088268	kernel.org	Patch
https://git.kernel.org/stable/c/230a5ed7d813fb516de81d23f09d7506753e41e9	kernel.org	Patch
https://git.kernel.org/stable/c/281072fb2a7294cde7acbf5375b879f40a8001b7	kernel.org	Patch
https://git.kernel.org/stable/c/30290f210ba7426ff7592fe2eb4114b1b5bad219	kernel.org	Patch
https://git.kernel.org/stable/c/426384dd4980040651536fef5feac4dcc4d7ee4e	kernel.org	Patch
https://git.kernel.org/stable/c/43e4197dd5f6b474a8b16f8b6a42cd45cf4f9d1a	kernel.org	Patch
https://git.kernel.org/stable/c/50749f2dd6854a41830996ad302aef2ffaf011d8	kernel.org	Patch
https://git.kernel.org/stable/c/602fa8af44fd55a58f9e94eb673e8adad2c6cc46	kernel.org	Patch
https://git.kernel.org/stable/c/cb52e7f24c1d01a536a847dff0d1d95889cc3b5c	kernel.org	Patch

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-401	Missing Release of Memory after Effective Lifetime	NIST

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

3 change records found show changes

CVE Modified by kernel.org 6/17/2026 2:45:27 AM

Action

Type

Old Value

New Value

Added

Affected

Record truncated, showing 2048 of 2688 characters.
View Entire Change Record

[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["net/core/skbuff.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"f214f915e7db99091f1312c48b30928c1e0c90b7","lessThan":"281072fb2a7294cde7acbf5375b879f40a8001b7","versionType":"git","status":"affected"},{"version":"f214f915e7db99091f1312c48b30928c1e0c90b7","lessThan":"1f69c086b20e27763af28145981435423f088268","versionType":"git","status":"affected"},{"version":"f214f915e7db99091f1312c48b30928c1e0c90b7","lessThan":"602fa8af44fd55a58f9e94eb673e8adad2c6cc46","versionType":"git","status":"affected"},{"version":"f214f915e7db99091f1312c48b30928c1e0c90b7","lessThan":"230a5ed7d813fb516de81d23f09d7506753e41e9","versionType":"git","status":"affected"},{"version":"f214f915e7db99091f1312c48b30928c1e0c90b7","lessThan":"43e4197dd5f6b474a8b16f8b6a42cd45cf4f9d1a","versionType":"git","status":"affected"},{"version":"f214f915e7db99091f1312c48b30928c1e0c90b7","lessThan":"cb52e7f24c1d01a536a847dff0d1d95889cc3b5c","versionType":"git","status":"affected"},{"version":"f214f915e7db99091f1312c48b30928c1e0c90b7","lessThan":"30290f210ba7426ff7592fe2eb4114b1b5bad219","versionType":"git","status":"affected"},{"version":"f214f915e7db99091f1312c48b30928c1e0c90b7","lessThan":"426384dd4980040651536fef5feac4dcc4d7ee4e","versionType":"git","status":"affected"},{"version":"f214f915e7db99091f1312c48b30928c1e0c90b7","lessThan":"50749f2dd6854a41830996ad302aef2ffaf011d8","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["net/core/skbuff.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"4.14","status":"affected"},{"version":"0","lessThan":"4.14","versionType":"semver","status":"unaffected"},{"version":"4.14.315","lessThanOrEqual":"4.14.*","versionType":"semver","status":"unaffected"},{"version":"4.19.283","lessThanOrEqual":"4.19.*","versionType":"semver","status":"unaffected"},{"version":"5.4.243","

Initial Analysis by NIST 1/21/2026 4:24:17 PM

Action	Type	New Value
Added	CVSS V3.1	AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Added	CWE	CWE-401
Added	CPE Configuration	OR cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 6.3 up to (excluding) 6.3.2 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 6.2 up to (excluding) 6.2.15 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 5.16 up to (excluding) 6.1.28 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 5.11 up to (excluding) 5.15.111 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 5.5 up to (excluding) 5.10.180 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 4.20 up to (excluding) 5.4.243 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 4.15 up to (excluding) 4.19.283 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 4.14 up to (excluding) 4.14.315
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/1f69c086b20e27763af28145981435423f088268 Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/230a5ed7d813fb516de81d23f09d7506753e41e9 Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/281072fb2a7294cde7acbf5375b879f40a8001b7 Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/30290f210ba7426ff7592fe2eb4114b1b5bad219 Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/426384dd4980040651536fef5feac4dcc4d7ee4e Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/43e4197dd5f6b474a8b16f8b6a42cd45cf4f9d1a Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/50749f2dd6854a41830996ad302aef2ffaf011d8 Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/602fa8af44fd55a58f9e94eb673e8adad2c6cc46 Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/cb52e7f24c1d01a536a847dff0d1d95889cc3b5c Types: Patch

New CVE Received from kernel.org 10/01/2025 8:15:51 AM

Action	Type	New Value
Added	Description	Record truncated, showing 2048 of 3998 characters. View Entire Change Record In the Linux kernel, the following vulnerability has been resolved: tcp/udp: Fix memleaks of sk and zerocopy skbs with TX timestamp. syzkaller reported [0] memory leaks of an UDP socket and ZEROCOPY skbs. We can reproduce the problem with these sequences: sk = socket(AF_INET, SOCK_DGRAM, 0) sk.setsockopt(SOL_SOCKET, SO_TIMESTAMPING, SOF_TIMESTAMPING_TX_SOFTWARE) sk.setsockopt(SOL_SOCKET, SO_ZEROCOPY, 1) sk.sendto(b'', MSG_ZEROCOPY, ('127.0.0.1', 53)) sk.close() sendmsg() calls msg_zerocopy_alloc(), which allocates a skb, sets skb->cb->ubuf.refcnt to 1, and calls sock_hold(). Here, struct ubuf_info_msgzc indirectly holds a refcnt of the socket. When the skb is sent, __skb_tstamp_tx() clones it and puts the clone into the socket's error queue with the TX timestamp. When the original skb is received locally, skb_copy_ubufs() calls skb_unclone(), and pskb_expand_head() increments skb->cb->ubuf.refcnt. This additional count is decremented while freeing the skb, but struct ubuf_info_msgzc still has a refcnt, so __msg_zerocopy_callback() is not called. The last refcnt is not released unless we retrieve the TX timestamped skb by recvmsg(). Since we clear the error queue in inet_sock_destruct() after the socket's refcnt reaches 0, there is a circular dependency. If we close() the socket holding such skbs, we never call sock_put() and leak the count, sk, and skb. TCP has the same problem, and commit e0c8bccd40fc ("net: stream: purge sk_error_queue in sk_stream_kill_queues()") tried to fix it by calling skb_queue_purge() during close(). However, there is a small chance that skb queued in a qdisc or device could be put into the error queue after the skb_queue_purge() call. In __skb_tstamp_tx(), the cloned skb should not have a reference to the ubuf to remove the circular dependency, but skb_clone() does not call skb_copy_ubufs() for zerocopy skb. So, we need to call skb_orphan_frags_rx() for the cloned skb to call skb_copy_ubufs(). [0]: BUG: memory leak unreferenced object 0xffff88800c6d2d00 (size 11
Added	Reference	https://git.kernel.org/stable/c/1f69c086b20e27763af28145981435423f088268
Added	Reference	https://git.kernel.org/stable/c/230a5ed7d813fb516de81d23f09d7506753e41e9
Added	Reference	https://git.kernel.org/stable/c/281072fb2a7294cde7acbf5375b879f40a8001b7
Added	Reference	https://git.kernel.org/stable/c/30290f210ba7426ff7592fe2eb4114b1b5bad219
Added	Reference	https://git.kernel.org/stable/c/426384dd4980040651536fef5feac4dcc4d7ee4e
Added	Reference	https://git.kernel.org/stable/c/43e4197dd5f6b474a8b16f8b6a42cd45cf4f9d1a
Added	Reference	https://git.kernel.org/stable/c/50749f2dd6854a41830996ad302aef2ffaf011d8
Added	Reference	https://git.kernel.org/stable/c/602fa8af44fd55a58f9e94eb673e8adad2c6cc46
Added	Reference	https://git.kernel.org/stable/c/cb52e7f24c1d01a536a847dff0d1d95889cc3b5c

Quick Info

CVE Dictionary Entry:
CVE-2023-53489
NVD Published Date:
10/01/2025
NVD Last Modified:
06/17/2026
Source:
kernel.org

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

National Vulnerability Database

National Vulnerability Database

CVE-2023-53489 Detail

Description

Metrics

References to Advisories, Solutions, and Tools

Weakness Enumeration

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Change History

CVE Modified by kernel.org 6/17/2026 2:45:27 AM

Initial Analysis by NIST 1/21/2026 4:24:17 PM

New CVE Received from kernel.org 10/01/2025 8:15:51 AM

Quick Info