CVE-2023-54112
Description
In the Linux kernel, the following vulnerability has been resolved:
kcm: Fix memory leak in error path of kcm_sendmsg()
syzbot reported a memory leak like below:
BUG: memory leak unreferenced object 0xffff88810b088c00 (size 240): comm "syz-executor186", pid 5012, jiffies 4294943306 (age 13.680s) hex dump (first 32 bytes): 00 89 08 0b 81 88 ff ff 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [] __alloc_skb+0x1ef/0x230 net/core/skbuff.c:634 [] alloc_skb include/linux/skbuff.h:1289 [inline] [] kcm_sendmsg+0x269/0x1050 net/kcm/kcmsock.c:815 [] sock_sendmsg_nosec net/socket.c:725 [inline] [] sock_sendmsg+0x56/0xb0 net/socket.c:748 [] ____sys_sendmsg+0x365/0x470 net/socket.c:2494 [] ___sys_sendmsg+0xc9/0x130 net/socket.c:2548 [] __sys_sendmsg+0xa6/0x120 net/socket.c:2577 [] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 [] entry_SYSCALL_64_after_hwframe+0x63/0xcd
In kcm_sendmsg(), kcm_tx_msg(head)->last_skb is used as a cursor to append newly allocated skbs to 'head'. If some bytes are copied, an error occurred, and jumped to out_error label, 'last_skb' is left unmodified. A later kcm_sendmsg() will use an obsoleted 'last_skb' reference, corrupting the 'head' frag_list and causing the leak.
This patch fixes this issue by properly updating the last allocated skb in 'last_skb'.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Memory leak in Linux kernel's kcm_sendmsg() due to stale last_skb pointer in error path.
Vulnerability
In the Linux kernel's KCM (Kernel Connection Multiplexor) socket implementation, a memory leak occurs in the kcm_sendmsg() function. The function uses a cursor kcm_tx_msg(head)->last_skb to track the last allocated skb when appending new skbs to the head. If an error occurs after partial data copying, the code jumps to the out_error label without updating this cursor. As a result, a subsequent call to kcm_sendmsg() will use a stale pointer, corrupting the frag_list and causing the allocated skb to never be freed [1].
Exploitation
An unprivileged attacker can trigger this bug by sending messages via a KCM socket and intentionally causing errors (e.g., by using a non-blocking socket or injecting faults). The syzbot fuzzer reproduced the issue, demonstrating that it can be triggered without special privileges. The attack surface is local, requiring the ability to create and use KCM sockets.
Impact
Successful exploitation leads to a kernel memory leak. Repeated triggering can exhaust system memory, leading to denial of service (system hang or crash). There is no evidence of code execution or privilege escalation.
Mitigation
The vulnerability is fixed in Linux kernel commits [1][2][3]. Users should apply the latest kernel updates from their distribution. No workarounds are known.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
88dc7eb757b165e5554389397479c71cda14b33db24ad811b97275339c34c16989de75497af8085e0fc32c821a88bd720Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- git.kernel.org/stable/c/16989de75497574b5fafd174c0c233d5a86858b7nvd
- git.kernel.org/stable/c/33db24ad811b3576a0c2f8862506763f2be925b0nvd
- git.kernel.org/stable/c/479c71cda14b3c3a6515773faa39055333eaa2b7nvd
- git.kernel.org/stable/c/5e5554389397e98fafb9efe395d8b4830dd5f042nvd
- git.kernel.org/stable/c/8dc7eb757b1652b82725f32e0c89a1e9f6c0e13bnvd
- git.kernel.org/stable/c/97275339c34cfbccd65e87bc38fd910ae66c48banvd
- git.kernel.org/stable/c/af8085e0fc3207ecbf8b9e7a635c790e36d058c6nvd
- git.kernel.org/stable/c/c821a88bd720b0046433173185fd841a100d44adnvd
News mentions
0No linked articles in our index yet.