{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-52991", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-03-27T16:40:15.741Z", "datePublished": "2025-03-27T16:43:26.991Z", "dateUpdated": "2025-10-01T20:17:04.316Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T07:47:02.849Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix NULL pointer in skb_segment_list\n\nCommit 3a1296a38d0c (\"net: Support GRO/GSO fraglist chaining.\")\nintroduced UDP listifyed GRO. The segmentation relies on frag_list being\nuntouched when passing through the network stack. This assumption can be\nbroken sometimes, where frag_list itself gets pulled into linear area,\nleaving frag_list being NULL. When this happens it can trigger\nfollowing NULL pointer dereference, and panic the kernel. Reverse the\ntest condition should fix it.\n\n[19185.577801][ C1] BUG: kernel NULL pointer dereference, address:\n...\n[19185.663775][ C1] RIP: 0010:skb_segment_list+0x1cc/0x390\n...\n[19185.834644][ C1] Call Trace:\n[19185.841730][ C1] <TASK>\n[19185.848563][ C1] __udp_gso_segment+0x33e/0x510\n[19185.857370][ C1] inet_gso_segment+0x15b/0x3e0\n[19185.866059][ C1] skb_mac_gso_segment+0x97/0x110\n[19185.874939][ C1] __skb_gso_segment+0xb2/0x160\n[19185.883646][ C1] udp_queue_rcv_skb+0xc3/0x1d0\n[19185.892319][ C1] udp_unicast_rcv_skb+0x75/0x90\n[19185.900979][ C1] ip_protocol_deliver_rcu+0xd2/0x200\n[19185.910003][ C1] ip_local_deliver_finish+0x44/0x60\n[19185.918757][ C1] __netif_receive_skb_one_core+0x8b/0xa0\n[19185.927834][ C1] process_backlog+0x88/0x130\n[19185.935840][ C1] __napi_poll+0x27/0x150\n[19185.943447][ C1] net_rx_action+0x27e/0x5f0\n[19185.951331][ C1] ? mlx5_cq_tasklet_cb+0x70/0x160 [mlx5_core]\n[19185.960848][ C1] __do_softirq+0xbc/0x25d\n[19185.968607][ C1] irq_exit_rcu+0x83/0xb0\n[19185.976247][ C1] common_interrupt+0x43/0xa0\n[19185.984235][ C1] asm_common_interrupt+0x22/0x40\n...\n[19186.094106][ C1] </TASK>"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/core/skbuff.c"], "versions": [{"version": "3a1296a38d0cf62bffb9a03c585cbd5dbf15d596", "lessThan": "6446369fb9f083ce032448c5047da08e298b22e6", "status": "affected", "versionType": "git"}, {"version": "3a1296a38d0cf62bffb9a03c585cbd5dbf15d596", "lessThan": "046de74f9af92ae9ffce75fa22a1795223f4fb54", "status": "affected", "versionType": "git"}, {"version": "3a1296a38d0cf62bffb9a03c585cbd5dbf15d596", "lessThan": "888dad6f3e85e3b2f8389bd6478f181efc72534d", "status": "affected", "versionType": "git"}, {"version": "3a1296a38d0cf62bffb9a03c585cbd5dbf15d596", "lessThan": "876e8ca8366735a604bac86ff7e2732fc9d85d2d", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/core/skbuff.c"], "versions": [{"version": "5.6", "status": "affected"}, {"version": "0", "lessThan": "5.6", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.167", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.92", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.10", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.2", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6", "versionEndExcluding": "5.10.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6", "versionEndExcluding": "5.15.92"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6", "versionEndExcluding": "6.1.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6", "versionEndExcluding": "6.2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/6446369fb9f083ce032448c5047da08e298b22e6"}, {"url": "https://git.kernel.org/stable/c/046de74f9af92ae9ffce75fa22a1795223f4fb54"}, {"url": "https://git.kernel.org/stable/c/888dad6f3e85e3b2f8389bd6478f181efc72534d"}, {"url": "https://git.kernel.org/stable/c/876e8ca8366735a604bac86ff7e2732fc9d85d2d"}], "title": "net: fix NULL pointer in skb_segment_list", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-52991", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-01T20:08:20.181820Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-476", "description": "CWE-476 NULL Pointer Dereference"}]}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-01T20:17:04.316Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-52991", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-01T20:08:20.181820Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-476", "description": "CWE-476 NULL Pointer Dereference"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-01T14:36:28.608Z"}}], "cna": {"title": "net: fix NULL pointer in skb_segment_list", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "3a1296a38d0cf62bffb9a03c585cbd5dbf15d596", "lessThan": "6446369fb9f083ce032448c5047da08e298b22e6", "versionType": "git"}, {"status": "affected", "version": "3a1296a38d0cf62bffb9a03c585cbd5dbf15d596", "lessThan": "046de74f9af92ae9ffce75fa22a1795223f4fb54", "versionType": "git"}, {"status": "affected", "version": "3a1296a38d0cf62bffb9a03c585cbd5dbf15d596", "lessThan": "888dad6f3e85e3b2f8389bd6478f181efc72534d", "versionType": "git"}, {"status": "affected", "version": "3a1296a38d0cf62bffb9a03c585cbd5dbf15d596", "lessThan": "876e8ca8366735a604bac86ff7e2732fc9d85d2d", "versionType": "git"}], "programFiles": ["net/core/skbuff.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5.6"}, {"status": "unaffected", "version": "0", "lessThan": "5.6", "versionType": "semver"}, {"status": "unaffected", "version": "5.10.167", "versionType": "semver", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.15.92", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.10", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.2", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["net/core/skbuff.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/6446369fb9f083ce032448c5047da08e298b22e6"}, {"url": "https://git.kernel.org/stable/c/046de74f9af92ae9ffce75fa22a1795223f4fb54"}, {"url": "https://git.kernel.org/stable/c/888dad6f3e85e3b2f8389bd6478f181efc72534d"}, {"url": "https://git.kernel.org/stable/c/876e8ca8366735a604bac86ff7e2732fc9d85d2d"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix NULL pointer in skb_segment_list\n\nCommit 3a1296a38d0c (\"net: Support GRO/GSO fraglist chaining.\")\nintroduced UDP listifyed GRO. The segmentation relies on frag_list being\nuntouched when passing through the network stack. This assumption can be\nbroken sometimes, where frag_list itself gets pulled into linear area,\nleaving frag_list being NULL. When this happens it can trigger\nfollowing NULL pointer dereference, and panic the kernel. Reverse the\ntest condition should fix it.\n\n[19185.577801][ C1] BUG: kernel NULL pointer dereference, address:\n...\n[19185.663775][ C1] RIP: 0010:skb_segment_list+0x1cc/0x390\n...\n[19185.834644][ C1] Call Trace:\n[19185.841730][ C1] <TASK>\n[19185.848563][ C1] __udp_gso_segment+0x33e/0x510\n[19185.857370][ C1] inet_gso_segment+0x15b/0x3e0\n[19185.866059][ C1] skb_mac_gso_segment+0x97/0x110\n[19185.874939][ C1] __skb_gso_segment+0xb2/0x160\n[19185.883646][ C1] udp_queue_rcv_skb+0xc3/0x1d0\n[19185.892319][ C1] udp_unicast_rcv_skb+0x75/0x90\n[19185.900979][ C1] ip_protocol_deliver_rcu+0xd2/0x200\n[19185.910003][ C1] ip_local_deliver_finish+0x44/0x60\n[19185.918757][ C1] __netif_receive_skb_one_core+0x8b/0xa0\n[19185.927834][ C1] process_backlog+0x88/0x130\n[19185.935840][ C1] __napi_poll+0x27/0x150\n[19185.943447][ C1] net_rx_action+0x27e/0x5f0\n[19185.951331][ C1] ? mlx5_cq_tasklet_cb+0x70/0x160 [mlx5_core]\n[19185.960848][ C1] __do_softirq+0xbc/0x25d\n[19185.968607][ C1] irq_exit_rcu+0x83/0xb0\n[19185.976247][ C1] common_interrupt+0x43/0xa0\n[19185.984235][ C1] asm_common_interrupt+0x22/0x40\n...\n[19186.094106][ C1] </TASK>"}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.10.167", "versionStartIncluding": "5.6"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.15.92", "versionStartIncluding": "5.6"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.1.10", "versionStartIncluding": "5.6"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.2", "versionStartIncluding": "5.6"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T07:47:02.849Z"}}}, "cveMetadata": {"cveId": "CVE-2023-52991", "state": "PUBLISHED", "dateUpdated": "2025-10-01T20:17:04.316Z", "dateReserved": "2025-03-27T16:40:15.741Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2025-03-27T16:43:26.991Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "101645FF-CEF8-4860-A44D-A0DA5F0D4E5C", "versionEndExcluding": "5.10.167", "versionStartIncluding": "5.6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "82E7FA6E-E503-40DE-995C-EB8E2C9CDAE3", "versionEndExcluding": "5.15.92", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "482D2612-A4D4-4A68-AC23-52F6BE89878B", "versionEndExcluding": "6.1.10", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc1:*:*:*:*:*:*", "matchCriteriaId": "FF501633-2F44-4913-A8EE-B021929F49F6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc2:*:*:*:*:*:*", "matchCriteriaId": "2BDA597B-CAC1-4DF0-86F0-42E142C654E9", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc3:*:*:*:*:*:*", "matchCriteriaId": "725C78C9-12CE-406F-ABE8-0813A01D66E8", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc4:*:*:*:*:*:*", "matchCriteriaId": "A127C155-689C-4F67-B146-44A57F4BFD85", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc5:*:*:*:*:*:*", "matchCriteriaId": "D34127CC-68F5-4703-A5F6-5006F803E4AE", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc6:*:*:*:*:*:*", "matchCriteriaId": "4AB8D555-648E-4F2F-98BD-3E7F45BD12A8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix NULL pointer in skb_segment_list\n\nCommit 3a1296a38d0c (\"net: Support GRO/GSO fraglist chaining.\")\nintroduced UDP listifyed GRO. The segmentation relies on frag_list being\nuntouched when passing through the network stack. This assumption can be\nbroken sometimes, where frag_list itself gets pulled into linear area,\nleaving frag_list being NULL. When this happens it can trigger\nfollowing NULL pointer dereference, and panic the kernel. Reverse the\ntest condition should fix it.\n\n[19185.577801][ C1] BUG: kernel NULL pointer dereference, address:\n...\n[19185.663775][ C1] RIP: 0010:skb_segment_list+0x1cc/0x390\n...\n[19185.834644][ C1] Call Trace:\n[19185.841730][ C1] <TASK>\n[19185.848563][ C1] __udp_gso_segment+0x33e/0x510\n[19185.857370][ C1] inet_gso_segment+0x15b/0x3e0\n[19185.866059][ C1] skb_mac_gso_segment+0x97/0x110\n[19185.874939][ C1] __skb_gso_segment+0xb2/0x160\n[19185.883646][ C1] udp_queue_rcv_skb+0xc3/0x1d0\n[19185.892319][ C1] udp_unicast_rcv_skb+0x75/0x90\n[19185.900979][ C1] ip_protocol_deliver_rcu+0xd2/0x200\n[19185.910003][ C1] ip_local_deliver_finish+0x44/0x60\n[19185.918757][ C1] __netif_receive_skb_one_core+0x8b/0xa0\n[19185.927834][ C1] process_backlog+0x88/0x130\n[19185.935840][ C1] __napi_poll+0x27/0x150\n[19185.943447][ C1] net_rx_action+0x27e/0x5f0\n[19185.951331][ C1] ? mlx5_cq_tasklet_cb+0x70/0x160 [mlx5_core]\n[19185.960848][ C1] __do_softirq+0xbc/0x25d\n[19185.968607][ C1] irq_exit_rcu+0x83/0xb0\n[19185.976247][ C1] common_interrupt+0x43/0xa0\n[19185.984235][ C1] asm_common_interrupt+0x22/0x40\n...\n[19186.094106][ C1] </TASK>"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: correcci\u00f3n de puntero nulo en skb_segment_list. El commit 3a1296a38d0c (\"net: Compatibilidad con encadenamiento de fraglist GRO/GSO\") introdujo GRO con lista UDP. La segmentaci\u00f3n depende de que frag_list permanezca intacto al pasar por la pila de red. Esta suposici\u00f3n puede fallar a veces, ya que frag_list se arrastra al \u00e1rea lineal, dejando frag_list como nulo. Cuando esto sucede, puede desencadenar la consiguiente desreferencia de puntero nulo y generar un p\u00e1nico en el kernel. Revertir la condici\u00f3n de prueba deber\u00eda solucionarlo. [19185.577801][ C1] ERROR: desreferencia de puntero NULL del n\u00facleo, direcci\u00f3n: ... [19185.663775][ C1] RIP: 0010:skb_segment_list+0x1cc/0x390 ... [19185.834644][ C1] Rastreo de llamadas: [19185.841730][ C1] [19185.848563][ C1] __udp_gso_segment+0x33e/0x510 [19185.857370][ C1] inet_gso_segment+0x15b/0x3e0 [19185.866059][ C1] skb_mac_gso_segment+0x97/0x110 [19185.874939][ C1] __skb_gso_segment+0xb2/0x160 [19185.883646][ C1] udp_queue_rcv_skb+0xc3/0x1d0 [19185.892319][ C1] udp_unicast_rcv_skb+0x75/0x90 [19185.900979][ C1] ip_protocol_deliver_rcu+0xd2/0x200 [19185.910003][ C1] ip_local_deliver_finish+0x44/0x60 [19185.918757][ C1] __netif_receive_skb_one_core+0x8b/0xa0 [19185.927834][ C1] registro_de_proceso+0x88/0x130 [19185.935840][ C1] __napi_poll+0x27/0x150 [19185.943447][ C1] acci\u00f3n_de_rx_net+0x27e/0x5f0 [19185.951331][ C1] ? mlx5_cq_tasklet_cb+0x70/0x160 [mlx5_core] [19185.960848][ C1] __do_softirq+0xbc/0x25d [19185.968607][ C1] irq_exit_rcu+0x83/0xb0 [19185.976247][ C1] common_interrupt+0x43/0xa0 [19185.984235][ C1] asm_common_interrupt+0x22/0x40 ... [19186.094106][ C1] "}], "id": "CVE-2023-52991", "lastModified": "2025-10-01T21:15:42.190", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-03-27T17:15:46.540", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/046de74f9af92ae9ffce75fa22a1795223f4fb54"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/6446369fb9f083ce032448c5047da08e298b22e6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/876e8ca8366735a604bac86ff7e2732fc9d85d2d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/888dad6f3e85e3b2f8389bd6478f181efc72534d"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-476"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2023:7077", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "kernel-0:4.18.0-513.5.1.el8_9", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-11-14T00:00:00Z"}, {"advisory": "RHSA-2023:6583", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-362.8.1.el9_3", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-11-07T00:00:00Z"}, {"advisory": "RHSA-2023:6583", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-362.8.1.el9_3", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-11-07T00:00:00Z"}], "bugzilla": {"description": "kernel: net: fix NULL pointer in skb_segment_list", "id": "2355500", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2355500"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-476", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nnet: fix NULL pointer in skb_segment_list\nCommit 3a1296a38d0c (\"net: Support GRO/GSO fraglist chaining.\")\nintroduced UDP listifyed GRO. The segmentation relies on frag_list being\nuntouched when passing through the network stack. This assumption can be\nbroken sometimes, where frag_list itself gets pulled into linear area,\nleaving frag_list being NULL. When this happens it can trigger\nfollowing NULL pointer dereference, and panic the kernel. Reverse the\ntest condition should fix it.\n[19185.577801][ C1] BUG: kernel NULL pointer dereference, address:\n...\n[19185.663775][ C1] RIP: 0010:skb_segment_list+0x1cc/0x390\n...\n[19185.834644][ C1] Call Trace:\n[19185.841730][ C1] <TASK>\n[19185.848563][ C1] __udp_gso_segment+0x33e/0x510\n[19185.857370][ C1] inet_gso_segment+0x15b/0x3e0\n[19185.866059][ C1] skb_mac_gso_segment+0x97/0x110\n[19185.874939][ C1] __skb_gso_segment+0xb2/0x160\n[19185.883646][ C1] udp_queue_rcv_skb+0xc3/0x1d0\n[19185.892319][ C1] udp_unicast_rcv_skb+0x75/0x90\n[19185.900979][ C1] ip_protocol_deliver_rcu+0xd2/0x200\n[19185.910003][ C1] ip_local_deliver_finish+0x44/0x60\n[19185.918757][ C1] __netif_receive_skb_one_core+0x8b/0xa0\n[19185.927834][ C1] process_backlog+0x88/0x130\n[19185.935840][ C1] __napi_poll+0x27/0x150\n[19185.943447][ C1] net_rx_action+0x27e/0x5f0\n[19185.951331][ C1] ? mlx5_cq_tasklet_cb+0x70/0x160 [mlx5_core]\n[19185.960848][ C1] __do_softirq+0xbc/0x25d\n[19185.968607][ C1] irq_exit_rcu+0x83/0xb0\n[19185.976247][ C1] common_interrupt+0x43/0xa0\n[19185.984235][ C1] asm_common_interrupt+0x22/0x40\n...\n[19186.094106][ C1] </TASK>", "A flaw was found in the Linux kernel's net subsystem. A NULL pointer dereference can be triggered when a specific sequence of network events occurs due to an improper check, resulting in a denial of service."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2023-52991", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-03-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-52991\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-52991\nhttps://lore.kernel.org/linux-cve-announce/2025032709-CVE-2023-52991-6358@gregkh/T"], "statement": "This issue has been fixed in Red Hat Enterprise Linux 8.9 and 9.3 via RHSA-2023:7077 [1] and RHSA-2023:6583 [2], respectively.\n[1]. https://access.redhat.com/errata/RHSA-2023:7077\n[2]. https://access.redhat.com/errata/RHSA-2023:6583", "threat_severity": "Moderate"}