CVE-2023-53995
Description
In the Linux kernel, the following vulnerability has been resolved:
net: ipv4: fix one memleak in __inet_del_ifa()
I got the below warning when do fuzzing test: unregister_netdevice: waiting for bond0 to become free. Usage count = 2
It can be repoduced via:
ip link add bond0 type bond sysctl -w net.ipv4.conf.bond0.promote_secondaries=1 ip addr add 4.117.174.103/0 scope 0x40 dev bond0 ip addr add 192.168.100.111/255.255.255.254 scope 0 dev bond0 ip addr add 0.0.0.4/0 scope 0x40 secondary dev bond0 ip addr del 4.117.174.103/0 scope 0x40 dev bond0 ip link delete bond0 type bond
In this reproduction test case, an incorrect 'last_prim' is found in __inet_del_ifa(), as a result, the secondary address(0.0.0.4/0 scope 0x40) is lost. The memory of the secondary address is leaked and the reference of in_device and net_device is leaked.
Fix this problem: Look for 'last_prim' starting at location of the deleted IP and inserting the promoted IP into the location of 'last_prim'.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory leak in __inet_del_ifa() occurs when deleting a primary IP address while promoting secondaries, causing the secondary address and device references to be lost.
Vulnerability
A memory leak vulnerability exists in the Linux kernel's IPv4 address management function __inet_del_ifa(). When a primary IP address is deleted on an interface that has promote_secondaries enabled, the function incorrectly identifies the 'last_prim' entry, causing a secondary address to be skipped during promotion. This leads to the secondary address being orphaned, resulting in a leak of the in_device and net_device reference counts [1][2][3].
Exploitation
An attacker with local network configuration privileges can trigger this vulnerability by executing a specific sequence of ip addr and sysctl commands as shown in the official report. The reproducer requires creating a bond interface, enabling promote_secondaries, adding specific IPv4 addresses with varying scopes, deleting one primary address, and then removing the bond device. The bug is exercised during the deletion of the primary address, causing the secondary address (0.0.0.4/0) to be lost rather than promoted [1][2][3].
Impact
Successful exploitation leads to a memory leak of the secondary address's in_device structure and an unreleased reference to the network device. Over repeated operations, this can exhaust kernel memory and cause the device to become permanently stuck in a busy state, as indicated by the warning "unregister_netdevice: waiting for bond0 to become free. Usage count = 2" [1][2][3].
Mitigation
The vulnerability was fixed in the Linux kernel by adjusting the last_prim search logic to start from the location of the deleted IP address and inserting the promoted IP into that same slot. The fix is included in kernel versions that contain the commits referenced in the advisory [1][2][3]. Users should update to a patched kernel version to prevent exploitation.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
65624f26a35747c8ddcdab1b92f1e86014d0c980f8445479842652af5360dac28b1ec6135Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- git.kernel.org/stable/c/2f1e86014d0cc084886c36a2d77bc620e2d42618nvd
- git.kernel.org/stable/c/42652af5360d30b43b06057c193739e7dfb18f42nvd
- git.kernel.org/stable/c/5624f26a3574500ce23929cb2c9976a0dec9920anvd
- git.kernel.org/stable/c/7c8ddcdab1b900bed69cad6beef477fff116289envd
- git.kernel.org/stable/c/980f8445479814509a3cd55a8eabaae1c9030a4cnvd
- git.kernel.org/stable/c/ac28b1ec6135649b5d78b028e47264cb3ebca5eanvd
News mentions
0No linked articles in our index yet.