CVE-2023-53698
Description
In the Linux kernel, the following vulnerability has been resolved:
xsk: fix refcount underflow in error path
Fix a refcount underflow problem reported by syzbot that can happen when a system is running out of memory. If xp_alloc_tx_descs() fails, and it can only fail due to not having enough memory, then the error path is triggered. In this error path, the refcount of the pool is decremented as it has incremented before. However, the reference to the pool in the socket was not nulled. This means that when the socket is closed later, the socket teardown logic will think that there is a pool attached to the socket and try to decrease the refcount again, leading to a refcount underflow.
I chose this fix as it involved adding just a single line. Another option would have been to move xp_get_pool() and the assignment of xs->pool to after the if-statement and using xs_umem->pool instead of xs->pool in the whole if-statement resulting in somewhat simpler code, but this would have led to much more churn in the code base perhaps making it harder to backport.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A refcount underflow vulnerability in the Linux kernel's XSK (AF_XDP) error path can be triggered by memory pressure, leading to a use-after-free or crash.
Vulnerability
Overview
CVE-2023-53698 is a refcount underflow vulnerability in the Linux kernel's AF_XDP (XSK) subsystem. The bug occurs in the error path of xsk_build_skb() when xp_alloc_tx_descs() fails, which can only happen due to insufficient memory [1]. In this path, the reference count of the buffer pool (pool) is decremented after having been incremented earlier, but the pointer to the pool stored in the socket (xs->pool) is not cleared [2].
Attack
Vector and Prerequisites
Exploitation requires a system to be under memory pressure, causing memory allocation failures during AF_XDP socket transmit operations. The attack is local and can be initiated by any user with the ability to create AF_XDP sockets (requiring CAP_NET_ADMIN or root privileges). No remote authentication is needed; the attacker triggers the bug by exhausting memory while using XSK sockets.
Impact
When the socket is closed later, the socket teardown logic sees the stale reference to the pool and decrements the refcount again, resulting in a refcount underflow. This can lead to use-after-free conditions, corruption of kernel memory, system crash (denial of service), or potentially privilege escalation if exploited carefully [1]. The vulnerability was reported by syzbot, a kernel fuzzer, indicating it is reliably triggerable.
Mitigation
The fix was applied in a single-line patch that clears xs->pool in the error path to prevent the double decrement [1]. The stable kernel branch has also incorporated the fix [2]. Users should update their Linux kernel to a version containing the commit 15b453cf7348973217558235b9ece2ee5fea6777 or later. No workaround is available other than applying the patch.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <6.6
Patches
4789fcd94c9ca15b453cf73483e7722c31d4185c2c79a0730Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.