VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 30, 2025· Updated Apr 15, 2026

CVE-2023-54223

CVE-2023-54223

Description

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: xsk: Fix invalid buffer access for legacy rq

The below crash can be encountered when using xdpsock in rx mode for legacy rq: the buffer gets released in the XDP_REDIRECT path, and then once again in the driver. This fix sets the flag to avoid releasing on the driver side.

XSK handling of buffers for legacy rq was relying on the caller to set the skip release flag. But the referenced fix started using fragment counts for pages instead of the skip flag.

Crash log: general protection fault, probably for non-canonical address 0xffff8881217e3a: 0000 [#1] SMP CPU: 0 PID: 14 Comm: ksoftirqd/0 Not tainted 6.5.0-rc1+ #31 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:bpf_prog_03b13f331978c78c+0xf/0x28 Code: ... RSP: 0018:ffff88810082fc98 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888138404901 RCX: c0ffffc900027cbc RDX: ffffffffa000b514 RSI: 00ffff8881217e32 RDI: ffff888138404901 RBP: ffff88810082fc98 R08: 0000000000091100 R09: 0000000000000006 R10: 0000000000000800 R11: 0000000000000800 R12: ffffc9000027a000 R13: ffff8881217e2dc0 R14: ffff8881217e2910 R15: ffff8881217e2f00 FS: 0000000000000000(0000) GS:ffff88852c800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000564cb2e2cde0 CR3: 000000010e603004 CR4: 0000000000370eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace:

? die_addr+0x32/0x80 ? exc_general_protection+0x192/0x390 ? asm_exc_general_protection+0x22/0x30 ? 0xffffffffa000b514 ? bpf_prog_03b13f331978c78c+0xf/0x28 mlx5e_xdp_handle+0x48/0x670 [mlx5_core] ? dev_gro_receive+0x3b5/0x6e0 mlx5e_xsk_skb_from_cqe_linear+0x6e/0x90 [mlx5_core] mlx5e_handle_rx_cqe+0x55/0x100 [mlx5_core] mlx5e_poll_rx_cq+0x87/0x6e0 [mlx5_core] mlx5e_napi_poll+0x45e/0x6b0 [mlx5_core] __napi_poll+0x25/0x1a0 net_rx_action+0x28a/0x300 __do_softirq+0xcd/0x279 ? sort_range+0x20/0x20 run_ksoftirqd+0x1a/0x20 smpboot_thread_fn+0xa2/0x130 kthread+0xc9/0xf0 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x1f/0x30

Modules linked in: mlx5_ib mlx5_core rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_uverbs ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter overlay zram zsmalloc fuse [last unloaded: mlx5_core] ---[ end trace 0000000000000000 ]---

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A double-free bug in the Linux kernel's mlx5e XSK legacy RQ handling causes a general protection fault, exploitable for denial of service.

Description

CVE-2023-54223 is a double-free vulnerability in the Linux kernel's net/mlx5e driver, specifically in the XSK (AF_XDP socket) buffer handling for legacy receive queues (RQ). The root cause is that the driver relies on a caller-set skip-release flag to avoid freeing a buffer twice in the XDP_REDIRECT path, but a recent change switched to using fragment counts for pages, breaking this assumption. As a result, a buffer allocated for XSK can be released once in the XDP_REDIRECT path and then again by the driver, leading to a use-after-free or double-free [1].

Exploitation

To trigger the bug, an attacker would need to be able to send or redirect AF_XDP frames targeting a Mellanox ConnectX NIC (mlx5 driver) in legacy RQ mode. The attack does not require privileged access beyond the ability to use of XDP sockets, which are available to unprivileged users in many configurations. The crash occurs during normal packet processing (NAPI polling) when an XSK frame is handled by mlx5e_xsk_skb_from_cqe_linear and later freed again, causing a general protection fault [1].

Impact

Successful exploitation leads to a kernel crash (denial of service) due to a general protection fault. The crash log shows the fault occurring in a BPF program that handles the XDP action, suggesting that an attacker could potentially cause persistent system unavailability by sending malicious traffic. There is no evidence in the advisory of privilege escalation or remote code execution, but a double-free can sometimes be leveraged for more severe outcomes depending on memory allocator state.

Mitigation

The fix is committed in the Linux kernel stable tree as commit 58a113a35846d9a5bd759beb332e551e28451f09, which ensures the MLX5E_XDP_XMIT flag is set` flag is properly propagated in the legacy RQ path to prevent duplicate release [1]. Users should update to a kernel containing this fix (e.g., Linux 6.5 or later with the backport). No workaround is available other than avoiding the use of AF_XDP sockets on affected Mellanox interfaces, or upgrading the driver.

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

2
58a113a35846
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
e0f52298fee4
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.