VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 24, 2025· Updated Apr 15, 2026

CVE-2023-54155

CVE-2023-54155

Description

In the Linux kernel, the following vulnerability has been resolved:

net: core: remove unnecessary frame_sz check in bpf_xdp_adjust_tail()

Syzkaller reported the following issue: ======================================= Too BIG xdp->frame_sz = 131072 WARNING: CPU: 0 PID: 5020 at net/core/filter.c:4121 ____bpf_xdp_adjust_tail net/core/filter.c:4121 [inline] WARNING: CPU: 0 PID: 5020 at net/core/filter.c:4121 bpf_xdp_adjust_tail+0x466/0xa10 net/core/filter.c:4103 ... Call Trace:

bpf_prog_4add87e5301a4105+0x1a/0x1c __bpf_prog_run include/linux/filter.h:600 [inline] bpf_prog_run_xdp include/linux/filter.h:775 [inline] bpf_prog_run_generic_xdp+0x57e/0x11e0 net/core/dev.c:4721 netif_receive_generic_xdp net/core/dev.c:4807 [inline] do_xdp_generic+0x35c/0x770 net/core/dev.c:4866 tun_get_user+0x2340/0x3ca0 drivers/net/tun.c:1919 tun_chr_write_iter+0xe8/0x210 drivers/net/tun.c:2043 call_write_iter include/linux/fs.h:1871 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x650/0xe40 fs/read_write.c:584 ksys_write+0x12f/0x250 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd

xdp->frame_sz > PAGE_SIZE check was introduced in commit c8741e2bfe87 ("xdp: Allow bpf_xdp_adjust_tail() to grow packet size"). But Jesper Dangaard Brouer <jbrouer@redhat.com> noted that after introducing the xdp_init_buff() which all XDP driver use - it's safe to remove this check. The original intend was to catch cases where XDP drivers have not been updated to use xdp.frame_sz, but that is not longer a concern (since xdp_init_buff).

Running the initial syzkaller repro it was discovered that the contiguous physical memory allocation is used for both xdp paths in tun_get_user(), e.g. tun_build_skb() and tun_alloc_skb(). It was also stated by Jesper Dangaard Brouer <jbrouer@redhat.com> that XDP can work on higher order pages, as long as this is contiguous physical memory (e.g. a page).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A redundant frame_sz > PAGE_SIZE check in the Linux kernel's bpf_xdp_adjust_tail() function can trigger a WARNING when passthrough XDP receives large contiguous buffers via tun.

The vulnerability addresses an unnecessary frame_sz > PAGE_SIZE check in the bpf_xdp_adjust_tail() function within the Linux kernel's net/core/filter.c. This check was originally introduced in commit c8741e2bfe87 to catch XDP drivers that had not been updated to properly set xdp->frame_sz. However, with the later introduction of xdp_init_buff(), all XDP drivers now correctly initialize this field, making the check redundant. When a valid XDP program runs on a large, contiguous physical memory buffer (as used in tun_get_user(), for example via the TUN driver), this redundant check can trigger a kernel warning, as reported by syzkaller [1].

The attack surface involves sending crafted packets to a TUN/TAP device that has an XDP program attached. The tun_get_user() function allocates contiguous physical memory buffers for both tun_build_skb() and tun_alloc_skb(). If these buffers exceed PAGE_SIZE, the XDP program's invocation of bpf_xdp_adjust_tail() hits the stale check and produces a warning splat. Jesper Dangaard Brouer confirmed that XDP can work on higher-order pages as long as the memory is contiguous, so the check is no longer needed and should be removed [1].

The impact is a denial-of-service condition through repeated kernel warnings, causing system logs to be filled and potentially degrading performance. The warning does not directly crash the system, but the stack trace shows it is reachable from user-writable operations (write to a TUN device) by an unprivileged user in certain configurations, making it a low-to-medium severity issue.

The fix was applied upstream by removing the redundant frame_sz check. Patched kernel versions include those that contain the commit referenced in [1] (stable tag d9252d67ed2f). Users are advised to update their kernel to a version that includes this patch.

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

4
a09c258cfa77
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
20acffcdc2b7
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
d9252d67ed2f
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
d14eea09edf4
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.