VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 22, 2025· Updated Apr 15, 2026

CVE-2023-53726

CVE-2023-53726

Description

In the Linux kernel, the following vulnerability has been resolved:

arm64: csum: Fix OoB access in IP checksum code for negative lengths

Although commit c2c24edb1d9c ("arm64: csum: Fix pathological zero-length calls") added an early return for zero-length input, syzkaller has popped up with an example of a _negative_ length which causes an undefined shift and an out-of-bounds read:

| BUG: KASAN: slab-out-of-bounds in do_csum+0x44/0x254 arch/arm64/lib/csum.c:39 | Read of size 4294966928 at addr ffff0000d7ac0170 by task syz-executor412/5975 | | CPU: 0 PID: 5975 Comm: syz-executor412 Not tainted 6.4.0-rc4-syzkaller-g908f31f2a05b #0 | Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023 | Call trace: | dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:233 | show_stack+0x2c/0x44 arch/arm64/kernel/stacktrace.c:240 | __dump_stack lib/dump_stack.c:88 [inline] | dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106 | print_address_description mm/kasan/report.c:351 [inline] | print_report+0x174/0x514 mm/kasan/report.c:462 | kasan_report+0xd4/0x130 mm/kasan/report.c:572 | kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:187 | __kasan_check_read+0x20/0x30 mm/kasan/shadow.c:31 | do_csum+0x44/0x254 arch/arm64/lib/csum.c:39 | csum_partial+0x30/0x58 lib/checksum.c:128 | gso_make_checksum include/linux/skbuff.h:4928 [inline] | __udp_gso_segment+0xaf4/0x1bc4 net/ipv4/udp_offload.c:332 | udp6_ufo_fragment+0x540/0xca0 net/ipv6/udp_offload.c:47 | ipv6_gso_segment+0x5cc/0x1760 net/ipv6/ip6_offload.c:119 | skb_mac_gso_segment+0x2b4/0x5b0 net/core/gro.c:141 | __skb_gso_segment+0x250/0x3d0 net/core/dev.c:3401 | skb_gso_segment include/linux/netdevice.h:4859 [inline] | validate_xmit_skb+0x364/0xdbc net/core/dev.c:3659 | validate_xmit_skb_list+0x94/0x130 net/core/dev.c:3709 | sch_direct_xmit+0xe8/0x548 net/sched/sch_generic.c:327 | __dev_xmit_skb net/core/dev.c:3805 [inline] | __dev_queue_xmit+0x147c/0x3318 net/core/dev.c:4210 | dev_queue_xmit include/linux/netdevice.h:3085 [inline] | packet_xmit+0x6c/0x318 net/packet/af_packet.c:276 | packet_snd net/packet/af_packet.c:3081 [inline] | packet_sendmsg+0x376c/0x4c98 net/packet/af_packet.c:3113 | sock_sendmsg_nosec net/socket.c:724 [inline] | sock_sendmsg net/socket.c:747 [inline] | __sys_sendto+0x3b4/0x538 net/socket.c:2144

Extend the early return to reject negative lengths as well, aligning our implementation with the generic code in lib/checksum.c

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel, a negative length argument to the arm64 checksum function triggers an out-of-bounds read via an undefined shift.

The vulnerability resides in the do_csum function within arch/arm64/lib/csum.c. Although a previous fix (commit c2c24edb1d9c) handled zero-length input, a negative length value was not checked. This causes an undefined shift operation and subsequently an out-of-bounds read from a kernel slab buffer [1].

An attacker can trigger the issue by submitting a crafted UDP or IPv6 frame undergoing segmentation offload balancing or segmentation that results in a negative length being passed to csum_partial. The call chain visible in the KASAN report shows the flow through __udp_gso_segment and udp6_ufo_fragment, ultimately reaching do_csum with a malformed length [1].

The impact is a kernel slab out-of-bounds read, as demonstrated by the KASAN report showing a read of size 4294966928 (0xFFFF0010). This could lead to memory information disclosure or a system crash (denial of service). No evidence of privilege escalation is provided in the description [1].

The fix was applied in multiple stable kernel branches, including a commit that adds a simple negative-length check before the shift operation. Users should update to a kernel version containing the relevant stable commits [1][2][3].

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

6
5a85727239a2
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
9a43563cfd6b
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
ba0b46166b8e
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
a5ad2f87d8e7
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
fcdf904e866d
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
8bd795fedb84
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.