CVE-2023-54265
Description
In the Linux kernel, the following vulnerability has been resolved:
ipv6: Fix an uninit variable access bug in __ip6_make_skb()
Syzbot reported a bug as following:
===================================================== BUG: KMSAN: uninit-value in arch_atomic64_inc arch/x86/include/asm/atomic64_64.h:88 [inline] BUG: KMSAN: uninit-value in arch_atomic_long_inc include/linux/atomic/atomic-long.h:161 [inline] BUG: KMSAN: uninit-value in atomic_long_inc include/linux/atomic/atomic-instrumented.h:1429 [inline] BUG: KMSAN: uninit-value in __ip6_make_skb+0x2f37/0x30f0 net/ipv6/ip6_output.c:1956 arch_atomic64_inc arch/x86/include/asm/atomic64_64.h:88 [inline] arch_atomic_long_inc include/linux/atomic/atomic-long.h:161 [inline] atomic_long_inc include/linux/atomic/atomic-instrumented.h:1429 [inline] __ip6_make_skb+0x2f37/0x30f0 net/ipv6/ip6_output.c:1956 ip6_finish_skb include/net/ipv6.h:1122 [inline] ip6_push_pending_frames+0x10e/0x550 net/ipv6/ip6_output.c:1987 rawv6_push_pending_frames+0xb12/0xb90 net/ipv6/raw.c:579 rawv6_sendmsg+0x297e/0x2e60 net/ipv6/raw.c:922 inet_sendmsg+0x101/0x180 net/ipv4/af_inet.c:827 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg net/socket.c:734 [inline] ____sys_sendmsg+0xa8e/0xe70 net/socket.c:2476 ___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2530 __sys_sendmsg net/socket.c:2559 [inline] __do_sys_sendmsg net/socket.c:2568 [inline] __se_sys_sendmsg net/socket.c:2566 [inline] __x64_sys_sendmsg+0x367/0x540 net/socket.c:2566 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd
Uninit was created at: slab_post_alloc_hook mm/slab.h:766 [inline] slab_alloc_node mm/slub.c:3452 [inline] __kmem_cache_alloc_node+0x71f/0xce0 mm/slub.c:3491 __do_kmalloc_node mm/slab_common.c:967 [inline] __kmalloc_node_track_caller+0x114/0x3b0 mm/slab_common.c:988 kmalloc_reserve net/core/skbuff.c:492 [inline] __alloc_skb+0x3af/0x8f0 net/core/skbuff.c:565 alloc_skb include/linux/skbuff.h:1270 [inline] __ip6_append_data+0x51c1/0x6bb0 net/ipv6/ip6_output.c:1684 ip6_append_data+0x411/0x580 net/ipv6/ip6_output.c:1854 rawv6_sendmsg+0x2882/0x2e60 net/ipv6/raw.c:915 inet_sendmsg+0x101/0x180 net/ipv4/af_inet.c:827 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg net/socket.c:734 [inline] ____sys_sendmsg+0xa8e/0xe70 net/socket.c:2476 ___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2530 __sys_sendmsg net/socket.c:2559 [inline] __do_sys_sendmsg net/socket.c:2568 [inline] __se_sys_sendmsg net/socket.c:2566 [inline] __x64_sys_sendmsg+0x367/0x540 net/socket.c:2566 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd
It is because icmp6hdr does not in skb linear region under the scenario of SOCK_RAW socket. Access icmp6_hdr(skb)->icmp6_type directly will trigger the uninit variable access bug.
Use a local variable icmp6_type to carry the correct value in different scenarios.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel, a flaw in IPv6 packet construction can lead to an uninitialized variable access, potentially causing a crash or information leak.
Root
Cause
CVE-2023-54265 is an uninitialized variable access bug in the Linux kernel's IPv6 stack, specifically in the __ip6_make_skb() function. The KMSAN (Kernel Memory Sanitizer) report from syzbot indicates that an uninitialized value is read when incrementing an atomic counter in the network core, leading to a kernel crash. The bug arises because a struct member or local variable in __ip6_make_skb() is used before being properly initialized [1][2][3].
Attack
Vector
The vulnerability can be triggered by a local attacker sending crafted IPv6 raw packets via the rawv6_sendmsg() system call. The flaw is reachable through the normal packet sending path: rawv6_sendmsg → rawv6_push_pending_frames → ip6_push_pending_frames → __ip6_make_skb. No special privileges are required beyond the ability to open a raw IPv6 socket, which typically requires the CAP_NET_RAW capability [1][2][3].
Impact
An attacker exploiting this bug could cause a kernel crash (denial of service) or potentially an information disclosure if the uninitialized memory contains sensitive data. The KMSAN warning shows the uninitialized value propagates to an atomic increment operation, which could corrupt kernel state and lead to unpredictable system behavior [1][2][3].
Mitigation
The issue has been fixed in the Linux kernel with commits that ensure proper initialization of the affected variable before use. The fix is included in stable kernel updates from version 6.6.0-rc1 onward. Users should apply the latest kernel patches from their distribution or upgrade to a corrected kernel version [1][2][3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
8165370522cc4f394f690a30a0cf600ca1bdf605b056d6330d65ff2fe877c2c9cefc142c102ed5700f404ea30388baebcVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- git.kernel.org/stable/c/02ed5700f40445af02d1c97db25ffc2d04971d9fnvd
- git.kernel.org/stable/c/0cf600ca1bdf1d52df977516ee6cee0cadb1f6b1nvd
- git.kernel.org/stable/c/165370522cc48127da564a08584a7391e6341908nvd
- git.kernel.org/stable/c/2c9cefc142c1dc2759e19a92d3b2b3715e985bebnvd
- git.kernel.org/stable/c/605b056d63302ae84eb136e88d4df49124bd5e0dnvd
- git.kernel.org/stable/c/d65ff2fe877c471aa6e79efa7bd8ff66e147c317nvd
- git.kernel.org/stable/c/ea30388baebcce37fd594d425a65037ca35e59e8nvd
- git.kernel.org/stable/c/f394f690a30a5ec0413c62777a058eaf3d6e10d5nvd
News mentions
0No linked articles in our index yet.