CVE-2023-53716

Vulnerability

Analysis

A memory leak vulnerability exists in the Linux kernel's __skb_tstamp_tx() function. The issue was introduced by commit 50749f2dd685, which added a call to skb_orphan_frags_rx() to fix a separate memory leak involving zerocopy skbs and TX timestamps. However, when skb_orphan_frags_rx() fails, the function returns without freeing the skb it had just cloned, resulting in a new leak [1][2][3].

Exploitation

An attacker would need to trigger the specific code path where skb_orphan_frags_rx() fails. This could potentially be achieved by sending network packets that cause the kernel to allocate and timestamp-related skbs, leading to repeated failures. The attack does not require special privileges beyond the ability to send network traffic, but the exact prerequisites depend on the system configuration and kernel version.

Impact

Successful exploitation leads to a kernel memory leak, which can gradually exhaust system memory resources. This may cause denial of service (DoS) as the system becomes unresponsive or crashes due to memory exhaustion. The vulnerability does not directly allow code execution or privilege escalation.

Mitigation

The fix

The fix is included in Linux kernel stable updates. Patched versions are available in the kernel git repository [1][2][3]. Users should update their kernel to a version containing the commit that frees the skb before returning on error. No workaround is known.