{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-20T16:13:40.829","vulnerabilities":[{"cve":{"id":"CVE-2023-52610","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2024-03-18T11:15:07.943","lastModified":"2025-03-10T15:39:09.893","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_ct: fix skb leak and crash on ooo frags\n\nact_ct adds skb->users before defragmentation. If frags arrive in order,\nthe last frag's reference is reset in:\n\n  inet_frag_reasm_prepare\n    skb_morph\n\nwhich is not straightforward.\n\nHowever when frags arrive out of order, nobody unref the last frag, and\nall frags are leaked. The situation is even worse, as initiating packet\ncapture can lead to a crash[0] when skb has been cloned and shared at the\nsame time.\n\nFix the issue by removing skb_get() before defragmentation. act_ct\nreturns TC_ACT_CONSUMED when defrag failed or in progress.\n\n[0]:\n[  843.804823] ------------[ cut here ]------------\n[  843.809659] kernel BUG at net/core/skbuff.c:2091!\n[  843.814516] invalid opcode: 0000 [#1] PREEMPT SMP\n[  843.819296] CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G S 6.7.0-rc3 #2\n[  843.824107] Hardware name: XFUSION 1288H V6/BC13MBSBD, BIOS 1.29 11/25/2022\n[  843.828953] RIP: 0010:pskb_expand_head+0x2ac/0x300\n[  843.833805] Code: 8b 70 28 48 85 f6 74 82 48 83 c6 08 bf 01 00 00 00 e8 38 bd ff ff 8b 83 c0 00 00 00 48 03 83 c8 00 00 00 e9 62 ff ff ff 0f 0b <0f> 0b e8 8d d0 ff ff e9 b3 fd ff ff 81 7c 24 14 40 01 00 00 4c 89\n[  843.843698] RSP: 0018:ffffc9000cce07c0 EFLAGS: 00010202\n[  843.848524] RAX: 0000000000000002 RBX: ffff88811a211d00 RCX: 0000000000000820\n[  843.853299] RDX: 0000000000000640 RSI: 0000000000000000 RDI: ffff88811a211d00\n[  843.857974] RBP: ffff888127d39518 R08: 00000000bee97314 R09: 0000000000000000\n[  843.862584] R10: 0000000000000000 R11: ffff8881109f0000 R12: 0000000000000880\n[  843.867147] R13: ffff888127d39580 R14: 0000000000000640 R15: ffff888170f7b900\n[  843.871680] FS:  0000000000000000(0000) GS:ffff889ffffc0000(0000) knlGS:0000000000000000\n[  843.876242] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  843.880778] CR2: 00007fa42affcfb8 CR3: 000000011433a002 CR4: 0000000000770ef0\n[  843.885336] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[  843.889809] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[  843.894229] PKRU: 55555554\n[  843.898539] Call Trace:\n[  843.902772]  <IRQ>\n[  843.906922]  ? __die_body+0x1e/0x60\n[  843.911032]  ? die+0x3c/0x60\n[  843.915037]  ? do_trap+0xe2/0x110\n[  843.918911]  ? pskb_expand_head+0x2ac/0x300\n[  843.922687]  ? do_error_trap+0x65/0x80\n[  843.926342]  ? pskb_expand_head+0x2ac/0x300\n[  843.929905]  ? exc_invalid_op+0x50/0x60\n[  843.933398]  ? pskb_expand_head+0x2ac/0x300\n[  843.936835]  ? asm_exc_invalid_op+0x1a/0x20\n[  843.940226]  ? pskb_expand_head+0x2ac/0x300\n[  843.943580]  inet_frag_reasm_prepare+0xd1/0x240\n[  843.946904]  ip_defrag+0x5d4/0x870\n[  843.950132]  nf_ct_handle_fragments+0xec/0x130 [nf_conntrack]\n[  843.953334]  tcf_ct_act+0x252/0xd90 [act_ct]\n[  843.956473]  ? tcf_mirred_act+0x516/0x5a0 [act_mirred]\n[  843.959657]  tcf_action_exec+0xa1/0x160\n[  843.962823]  fl_classify+0x1db/0x1f0 [cls_flower]\n[  843.966010]  ? skb_clone+0x53/0xc0\n[  843.969173]  tcf_classify+0x24d/0x420\n[  843.972333]  tc_run+0x8f/0xf0\n[  843.975465]  __netif_receive_skb_core+0x67a/0x1080\n[  843.978634]  ? dev_gro_receive+0x249/0x730\n[  843.981759]  __netif_receive_skb_list_core+0x12d/0x260\n[  843.984869]  netif_receive_skb_list_internal+0x1cb/0x2f0\n[  843.987957]  ? mlx5e_handle_rx_cqe_mpwrq_rep+0xfa/0x1a0 [mlx5_core]\n[  843.991170]  napi_complete_done+0x72/0x1a0\n[  843.994305]  mlx5e_napi_poll+0x28c/0x6d0 [mlx5_core]\n[  843.997501]  __napi_poll+0x25/0x1b0\n[  844.000627]  net_rx_action+0x256/0x330\n[  844.003705]  __do_softirq+0xb3/0x29b\n[  844.006718]  irq_exit_rcu+0x9e/0xc0\n[  844.009672]  common_interrupt+0x86/0xa0\n[  844.012537]  </IRQ>\n[  844.015285]  <TASK>\n[  844.017937]  asm_common_interrupt+0x26/0x40\n[  844.020591] RIP: 0010:acpi_safe_halt+0x1b/0x20\n[  844.023247] Code: ff 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 65 48 8b 04 25 00 18 03 00 48 8b 00 a8 08 75 0c 66 90 0f 00 2d 81 d0 44 00 fb\n---truncated---"},{"lang":"es","value":"En el kernel de Linux, se resolvió la siguiente vulnerabilidad: net/sched: act_ct: corrige la fuga de skb y falla en ooo frags act_ct agrega usuarios de skb-&gt; antes de la desfragmentación. Si los fragmentos llegan en orden, la referencia del último fragmento se restablece en: inet_frag_reasm_prepare skb_morph, lo cual no es sencillo. Sin embargo, cuando los fragmentos llegan desordenados, nadie elimina la referencia del último fragmento y todos los fragmentos se filtran. La situación es aún peor, ya que iniciar la captura de paquetes puede provocar una falla[0] cuando skb ha sido clonado y compartido al mismo tiempo. Solucione el problema eliminando skb_get() antes de la desfragmentación. act_ct devuelve TC_ACT_CONSUMED cuando la desfragmentación falla o está en progreso. [0]: [843.804823] ------------[ cortar aquí ]------------ [ 843.809659] ERROR del kernel en net/core/skbuff.c:2091 ! [843.814516] código de operación no válido: 0000 [#1] PREEMPT SMP [ 843.819296] CPU: 7 PID: 0 Comm: swapper/7 Kdump: cargado Contaminado: GS 6.7.0-rc3 #2 [ 843.824107] Nombre de hardware: XFUSION 1288H V6/ BC13MBSBD, BIOS 1.29 25/11/2022 [ 843.828953] RIP: 0010:pskb_expand_head+0x2ac/0x300 [ 843.833805] Código: 8b 70 28 48 85 f6 74 82 48 83 c6 08 bf 01 00 0 0 00 e8 38 bd ff ff 8b 83 c0 00 00 00 48 03 83 c8 00 00 00 e9 62 ff ff ff 0f 0b &lt;0f&gt; 0b e8 8d d0 ff ff e9 b3 fd ff ff 81 7c 24 14 40 01 00 00 4c 89 [ 843.843698] RSP: 0 018:ffffc9000cce07c0 EFLAGS: 00010202 [843.848524] RAX: 00000000000000002 RBX: ffff88811a211d00 RCX: 00000000000000820 [843.853299] RDX: 0000000000000640 RSI: 0000000000000000 RDI: ffff88811a211d00 [ 843.857974] RBP: ffff888127d39518 R08: 00000000bee97314 R09: 00000000000000000 [ 843.862584] R10: 00 00000000000000 R11: ffff8881109f0000 R12: 0000000000000880 [ 843.867147] R13: ffff888127d39580 R14: 0000000000000640 R15: ffff888170f7b900 [ 843.871680] FS: 0000000000000000(0 000) GS:ffff889ffffc0000(0000) knlGS:00000000000000000 [ 843.876242] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 843.880778] CR2 : 00007fa42affcfb8 CR3: 000000011433a002 CR4: 0000000000770ef0 [ 843.885336] DR0: 00000000000000000 DR1: 00000000000000000 DR2: 000000000000000 00 [ 843.889809] DR3: 00000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 843.894229] PKRU: 55555554 [ 843.898539] Rastreo de llamadas: [ 843.90277 2]  [843.906922] ? __die_body+0x1e/0x60 [ 843.911032] ? morir+0x3c/0x60 [843.915037]? do_trap+0xe2/0x110 [843.918911]? pskb_expand_head+0x2ac/0x300 [843.922687]? do_error_trap+0x65/0x80 [843.926342]? pskb_expand_head+0x2ac/0x300 [843.929905]? exc_invalid_op+0x50/0x60 [843.933398]? pskb_expand_head+0x2ac/0x300 [843.936835]? asm_exc_invalid_op+0x1a/0x20 [843.940226]? pskb_expand_head+0x2ac/0x300 [ 843.943580] inet_frag_reasm_prepare+0xd1/0x240 [ 843.946904] ip_defrag+0x5d4/0x870 [ 843.950132] nf_ct_handle_fragments+0xec/0x130 [nf_conn pista] [843.953334] tcf_ct_act+0x252/0xd90 [act_ct] [843.956473]? tcf_mirred_act+0x516/0x5a0 [act_mirred] [843.959657] tcf_action_exec+0xa1/0x160 [843.962823] fl_classify+0x1db/0x1f0 [cls_flower] [843.966010] ? skb_clone+0x53/0xc0 [ 843.969173] tcf_classify+0x24d/0x420 [ 843.972333] tc_run+0x8f/0xf0 [ 843.975465] __netif_receive_skb_core+0x67a/0x1080 [ 843.978634 ] ? dev_gro_receive+0x249/0x730 [843.981759] __netif_receive_skb_list_core+0x12d/0x260 [843.984869] netif_receive_skb_list_internal+0x1cb/0x2f0 [843.987957] ? mlx5e_handle_rx_cqe_mpwrq_rep+0xfa/0x1a0 [mlx5_core] [ 843.991170] napi_complete_done+0x72/0x1a0 [ 843.994305] mlx5e_napi_poll+0x28c/0x6d0 [mlx5_core] [ 843.997501] __napi_poll+0x25/0x1b0 [ 844.000627] net_rx_action+0x256/0x330 [ 844.003705] __do_softirq+0xb3/ 0x29b [ 844.006718] irq_exit_rcu+0x9e/0xc0 [ 844.009672] common_interrupt+0x86/0xa0 [ 844.012537]  [ 844.015285]  [ 844.017937] asm_common_interrupt+0x26 /0x40 [844.020591] RIP: 0010:acpi_safe_halt+0x1b/0x20 [ 844.023247] ---truncado ---"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-401"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"5.15.148","matchCriteriaId":"8F81F20B-C3A0-4AD7-B13E-118B3FDB8019"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.75","matchCriteriaId":"070D0ED3-90D0-4F95-B1FF-57D7F46F332D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.14","matchCriteriaId":"5C6B50A6-3D8B-4CE2-BDCC-A098609CBA14"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.7.2","matchCriteriaId":"7229C448-E0C9-488B-8939-36BA5254065E"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0b5b831122fc3789fff75be433ba3e4dd7b779d4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Mailing List","Patch"]},{"url":"https://git.kernel.org/stable/c/172ba7d46c202e679f3ccb10264c67416aaeb1c4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Mailing List","Patch"]},{"url":"https://git.kernel.org/stable/c/3f14b377d01d8357eba032b4cabc8c1149b458b6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Mailing List","Patch"]},{"url":"https://git.kernel.org/stable/c/73f7da5fd124f2cda9161e2e46114915e6e82e97","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Mailing List","Patch"]},{"url":"https://git.kernel.org/stable/c/f5346df0591d10bc948761ca854b1fae6d2ef441","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Mailing List","Patch"]},{"url":"https://git.kernel.org/stable/c/0b5b831122fc3789fff75be433ba3e4dd7b779d4","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Patch"]},{"url":"https://git.kernel.org/stable/c/172ba7d46c202e679f3ccb10264c67416aaeb1c4","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Patch"]},{"url":"https://git.kernel.org/stable/c/3f14b377d01d8357eba032b4cabc8c1149b458b6","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Patch"]},{"url":"https://git.kernel.org/stable/c/73f7da5fd124f2cda9161e2e46114915e6e82e97","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Patch"]},{"url":"https://git.kernel.org/stable/c/f5346df0591d10bc948761ca854b1fae6d2ef441","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Patch"]}]}}]}