CVE-2023-53999 - Vulnerability Details

Vendors	Products
Linux	Linux Kernel

Link	Providers
https://git.kernel.org/stable/c/ac5da544a3c2047cbfd715acd9cec8380d7fe5c6
https://git.kernel.org/stable/c/bc1918bac0f30e3f551ef5649b53062917db55fa

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: TC, Fix internal port memory leak The flow rule can be splited, and the extra post_act rules are added to post_act table. It's possible to trigger memleak when the rule forwards packets from internal port and over tunnel, in the case that, for example, CT 'new' state offload is allowed. As int_port object is assigned to the flow attribute of post_act rule, and its refcnt is incremented by mlx5e_tc_int_port_get(), but mlx5e_tc_int_port_put() is not called, the refcnt is never decremented, then int_port is never freed. The kmemleak reports the following error: unreferenced object 0xffff888128204b80 (size 64): comm "handler20", pid 50121, jiffies 4296973009 (age 642.932s) hex dump (first 32 bytes): 01 00 00 00 19 00 00 00 03 f0 00 00 04 00 00 00 ................ 98 77 67 41 81 88 ff ff 98 77 67 41 81 88 ff ff .wgA.....wgA.... backtrace: [<00000000e992680d>] kmalloc_trace+0x27/0x120 [<000000009e945a98>] mlx5e_tc_int_port_get+0x3f3/0xe20 [mlx5_core] [<0000000035a537f0>] mlx5e_tc_add_fdb_flow+0x473/0xcf0 [mlx5_core] [<0000000070c2cec6>] __mlx5e_add_fdb_flow+0x7cf/0xe90 [mlx5_core] [<000000005cc84048>] mlx5e_configure_flower+0xd40/0x4c40 [mlx5_core] [<000000004f8a2031>] mlx5e_rep_indr_offload.isra.0+0x10e/0x1c0 [mlx5_core] [<000000007df797dc>] mlx5e_rep_indr_setup_tc_cb+0x90/0x130 [mlx5_core] [<0000000016c15cc3>] tc_setup_cb_add+0x1cf/0x410 [<00000000a63305b4>] fl_hw_replace_filter+0x38f/0x670 [cls_flower] [<000000008bc9e77c>] fl_change+0x1fd5/0x4430 [cls_flower] [<00000000e7f766e4>] tc_new_tfilter+0x867/0x2010 [<00000000e101c0ef>] rtnetlink_rcv_msg+0x6fc/0x9f0 [<00000000e1111d44>] netlink_rcv_skb+0x12c/0x360 [<0000000082dd6c8b>] netlink_unicast+0x438/0x710 [<00000000fc568f70>] netlink_sendmsg+0x794/0xc50 [<0000000016e92590>] sock_sendmsg+0xc5/0x190 So fix this by moving int_port cleanup code to the flow attribute free helper, which is used by all the attribute free cases.
Title		net/mlx5e: TC, Fix internal port memory leak
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/ac5da544a3c2047cbfd715acd9cec8380d7fe5c6 https://git.kernel.org/stable/c/bc1918bac0f30e3f551ef5649b53062917db55fa

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2023-53999", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-12-24T10:53:46.176Z", "datePublished": "2025-12-24T10:55:35.523Z", "dateUpdated": "2025-12-24T10:55:35.523Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-12-24T10:55:35.523Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: TC, Fix internal port memory leak\n\nThe flow rule can be splited, and the extra post_act rules are added\nto post_act table. It's possible to trigger memleak when the rule\nforwards packets from internal port and over tunnel, in the case that,\nfor example, CT 'new' state offload is allowed. As int_port object is\nassigned to the flow attribute of post_act rule, and its refcnt is\nincremented by mlx5e_tc_int_port_get(), but mlx5e_tc_int_port_put() is\nnot called, the refcnt is never decremented, then int_port is never\nfreed.\n\nThe kmemleak reports the following error:\nunreferenced object 0xffff888128204b80 (size 64):\n comm \"handler20\", pid 50121, jiffies 4296973009 (age 642.932s)\n hex dump (first 32 bytes):\n 01 00 00 00 19 00 00 00 03 f0 00 00 04 00 00 00 ................\n 98 77 67 41 81 88 ff ff 98 77 67 41 81 88 ff ff .wgA.....wgA....\n backtrace:\n [<00000000e992680d>] kmalloc_trace+0x27/0x120\n [<000000009e945a98>] mlx5e_tc_int_port_get+0x3f3/0xe20 [mlx5_core]\n [<0000000035a537f0>] mlx5e_tc_add_fdb_flow+0x473/0xcf0 [mlx5_core]\n [<0000000070c2cec6>] __mlx5e_add_fdb_flow+0x7cf/0xe90 [mlx5_core]\n [<000000005cc84048>] mlx5e_configure_flower+0xd40/0x4c40 [mlx5_core]\n [<000000004f8a2031>] mlx5e_rep_indr_offload.isra.0+0x10e/0x1c0 [mlx5_core]\n [<000000007df797dc>] mlx5e_rep_indr_setup_tc_cb+0x90/0x130 [mlx5_core]\n [<0000000016c15cc3>] tc_setup_cb_add+0x1cf/0x410\n [<00000000a63305b4>] fl_hw_replace_filter+0x38f/0x670 [cls_flower]\n [<000000008bc9e77c>] fl_change+0x1fd5/0x4430 [cls_flower]\n [<00000000e7f766e4>] tc_new_tfilter+0x867/0x2010\n [<00000000e101c0ef>] rtnetlink_rcv_msg+0x6fc/0x9f0\n [<00000000e1111d44>] netlink_rcv_skb+0x12c/0x360\n [<0000000082dd6c8b>] netlink_unicast+0x438/0x710\n [<00000000fc568f70>] netlink_sendmsg+0x794/0xc50\n [<0000000016e92590>] sock_sendmsg+0xc5/0x190\n\nSo fix this by moving int_port cleanup code to the flow attribute\nfree helper, which is used by all the attribute free cases."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/mellanox/mlx5/core/en_tc.c"], "versions": [{"version": "8300f225268be9ee2c0daf5a3f23929fcdcbf213", "lessThan": "bc1918bac0f30e3f551ef5649b53062917db55fa", "status": "affected", "versionType": "git"}, {"version": "8300f225268be9ee2c0daf5a3f23929fcdcbf213", "lessThan": "ac5da544a3c2047cbfd715acd9cec8380d7fe5c6", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/mellanox/mlx5/core/en_tc.c"], "versions": [{"version": "5.18", "status": "affected"}, {"version": "0", "lessThan": "5.18", "status": "unaffected", "versionType": "semver"}, {"version": "6.4.11", "lessThanOrEqual": "6.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.5", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.4.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.5"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/bc1918bac0f30e3f551ef5649b53062917db55fa"}, {"url": "https://git.kernel.org/stable/c/ac5da544a3c2047cbfd715acd9cec8380d7fe5c6"}], "title": "net/mlx5e: TC, Fix internal port memory leak", "x_generator": {"engine": "bippy-1.2.0"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: TC, Fix internal port memory leak\n\nThe flow rule can be splited, and the extra post_act rules are added\nto post_act table. It's possible to trigger memleak when the rule\nforwards packets from internal port and over tunnel, in the case that,\nfor example, CT 'new' state offload is allowed. As int_port object is\nassigned to the flow attribute of post_act rule, and its refcnt is\nincremented by mlx5e_tc_int_port_get(), but mlx5e_tc_int_port_put() is\nnot called, the refcnt is never decremented, then int_port is never\nfreed.\n\nThe kmemleak reports the following error:\nunreferenced object 0xffff888128204b80 (size 64):\n comm \"handler20\", pid 50121, jiffies 4296973009 (age 642.932s)\n hex dump (first 32 bytes):\n 01 00 00 00 19 00 00 00 03 f0 00 00 04 00 00 00 ................\n 98 77 67 41 81 88 ff ff 98 77 67 41 81 88 ff ff .wgA.....wgA....\n backtrace:\n [<00000000e992680d>] kmalloc_trace+0x27/0x120\n [<000000009e945a98>] mlx5e_tc_int_port_get+0x3f3/0xe20 [mlx5_core]\n [<0000000035a537f0>] mlx5e_tc_add_fdb_flow+0x473/0xcf0 [mlx5_core]\n [<0000000070c2cec6>] __mlx5e_add_fdb_flow+0x7cf/0xe90 [mlx5_core]\n [<000000005cc84048>] mlx5e_configure_flower+0xd40/0x4c40 [mlx5_core]\n [<000000004f8a2031>] mlx5e_rep_indr_offload.isra.0+0x10e/0x1c0 [mlx5_core]\n [<000000007df797dc>] mlx5e_rep_indr_setup_tc_cb+0x90/0x130 [mlx5_core]\n [<0000000016c15cc3>] tc_setup_cb_add+0x1cf/0x410\n [<00000000a63305b4>] fl_hw_replace_filter+0x38f/0x670 [cls_flower]\n [<000000008bc9e77c>] fl_change+0x1fd5/0x4430 [cls_flower]\n [<00000000e7f766e4>] tc_new_tfilter+0x867/0x2010\n [<00000000e101c0ef>] rtnetlink_rcv_msg+0x6fc/0x9f0\n [<00000000e1111d44>] netlink_rcv_skb+0x12c/0x360\n [<0000000082dd6c8b>] netlink_unicast+0x438/0x710\n [<00000000fc568f70>] netlink_sendmsg+0x794/0xc50\n [<0000000016e92590>] sock_sendmsg+0xc5/0x190\n\nSo fix this by moving int_port cleanup code to the flow attribute\nfree helper, which is used by all the attribute free cases."}], "id": "CVE-2023-53999", "lastModified": "2025-12-24T11:15:52.810", "metrics": {}, "published": "2025-12-24T11:15:52.810", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ac5da544a3c2047cbfd715acd9cec8380d7fe5c6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/bc1918bac0f30e3f551ef5649b53062917db55fa"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object