CVE-2023-53705

Description

The Linux kernel's IPv6 stack contains an out-of-bounds access vulnerability in the ipv6_find_tlv() function. The function parses IPv6 destination options headers but fails to verify that at least one byte remains before reading the optlen field. This oversight can cause the code to read beyond the intended buffer boundaries when processing a malformed packet [1][2][3]. The issue was discovered by InfoTeCS on behalf of the Linux Verification Center (linuxtesting.org) using the SVACE static analysis tool.

Exploitation

Exploitation requires the ability to send a crafted IPv6 packet to the target system. Specifically, an attacker can construct a destination options header where the option type and length fields are positioned such that the optlen fetch occurs when fewer than two bytes (one byte for type, one for length) remain in the buffer. No authentication is needed, and the attack can be performed remotely if the host is reachable over IPv6.

Impact

A successful out-of-bounds read could leak sensitive kernel memory or cause a kernel crash (denial of service). In some configurations, an attacker might leverage the read to bypass KASLR or other memory protections, though the primary consequence is system instabilty.

Mitigation

The vulnerability has been patched in the Linux kernel. The fix adds a bounds check before reading optlen, ensuring that the function can only proceed when the remaining buffer space is sufficient. Users should update to a kernel version containing the patch [1][2][3]. No workaround is available.