ghsa-26wc-246g-r3wf
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
xsk: Fix xsk_diag use-after-free error during socket cleanup
Fix a use-after-free error that is possible if the xsk_diag interface is used after the socket has been unbound from the device. This can happen either due to the socket being closed or the device disappearing. In the early days of AF_XDP, the way we tested that a socket was not bound to a device was to simply check if the netdevice pointer in the xsk socket structure was NULL. Later, a better system was introduced by having an explicit state variable in the xsk socket struct. For example, the state of a socket that is on the way to being closed and has been unbound from the device is XSK_UNBOUND.
The commit in the Fixes tag below deleted the old way of signalling that a socket is unbound, setting dev to NULL. This in the belief that all code using the old way had been exterminated. That was unfortunately not true as the xsk diagnostics code was still using the old way and thus does not work as intended when a socket is going down. Fix this by introducing a test against the state variable. If the socket is in the state XSK_UNBOUND, simply abort the diagnostic's netlink operation.
{
"affected": [],
"aliases": [
"CVE-2023-53426"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-18T16:15:46Z",
"severity": null
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: Fix xsk_diag use-after-free error during socket cleanup\n\nFix a use-after-free error that is possible if the xsk_diag interface\nis used after the socket has been unbound from the device. This can\nhappen either due to the socket being closed or the device\ndisappearing. In the early days of AF_XDP, the way we tested that a\nsocket was not bound to a device was to simply check if the netdevice\npointer in the xsk socket structure was NULL. Later, a better system\nwas introduced by having an explicit state variable in the xsk socket\nstruct. For example, the state of a socket that is on the way to being\nclosed and has been unbound from the device is XSK_UNBOUND.\n\nThe commit in the Fixes tag below deleted the old way of signalling\nthat a socket is unbound, setting dev to NULL. This in the belief that\nall code using the old way had been exterminated. That was\nunfortunately not true as the xsk diagnostics code was still using the\nold way and thus does not work as intended when a socket is going\ndown. Fix this by introducing a test against the state variable. If\nthe socket is in the state XSK_UNBOUND, simply abort the diagnostic\u0027s\nnetlink operation.",
"id": "GHSA-26wc-246g-r3wf",
"modified": "2025-09-18T18:30:28Z",
"published": "2025-09-18T18:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53426"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3e019d8a05a38abb5c85d4f1e85fda964610aa14"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/595931912357fa3507e522a7f8a0a76e423c23e4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5979985f2d6b565b6cf0f79a62670a2855c0e96c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6436973164ea5506a495f39e56be5aea375e7832"
}
],
"schema_version": "1.4.0",
"severity": []
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.