CVE-2023-53147 [Medium] | Security Vulnerability in Linux Kernel

In the Linux kernel, the following vulnerability has been resolved: xfrm: add NULL check in xfrm_update_ae_params Normally, x->replay_esn and x->preplay_esn should be allocated at xfrm_alloc_replay_state_esn(...) in xfrm_state_construct(...), hence the xfrm_update_ae_params(...) is okay to update them. However, the current implementation of xfrm_new_ae(...) allows a malicious user to directly dereference a NULL pointer and crash the kernel like below. BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 8253067 P4D 8253067 PUD 8e0e067 PMD 0 Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI CPU: 0 PID: 98 Comm: poc.npd Not tainted 6.4.0-rc7-00072-gdad9774deaf1 #8 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.o4 RIP: 0010:memcpy_orig+0xad/0x140 Code: e8 4c 89 5f e0 48 8d 7f e0 73 d2 83 c2 20 48 29 d6 48 29 d7 83 fa 10 72 34 4c 8b 06 4c 8b 4e 08 c RSP: 0018:ffff888008f57658 EFLAGS: 00000202 RAX: 0000000000000000 RBX: ffff888008bd0000 RCX: ffffffff8238e571 RDX: 0000000000000018 RSI: ffff888007f64844 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff888008f57818 R13: ffff888007f64aa4 R14: 0000000000000000 R15: 0000000000000000 FS: 00000000014013c0(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000000054d8000 CR4: 00000000000006f0 Call Trace: <TASK> ? __die+0x1f/0x70 ? page_fault_oops+0x1e8/0x500 ? __pfx_is_prefetch.constprop.0+0x10/0x10 ? __pfx_page_fault_oops+0x10/0x10 ? _raw_spin_unlock_irqrestore+0x11/0x40 ? fixup_exception+0x36/0x460 ? _raw_spin_unlock_irqrestore+0x11/0x40 ? exc_page_fault+0x5e/0xc0 ? asm_exc_page_fault+0x26/0x30 ? xfrm_update_ae_params+0xd1/0x260 ? memcpy_orig+0xad/0x140 ? __pfx__raw_spin_lock_bh+0x10/0x10 xfrm_update_ae_params+0xe7/0x260 xfrm_new_ae+0x298/0x4e0 ? __pfx_xfrm_new_ae+0x10/0x10 ? __pfx_xfrm_new_ae+0x10/0x10 xfrm_user_rcv_msg+0x25a/0x410 ? __pfx_xfrm_user_rcv_msg+0x10/0x10 ? __alloc_skb+0xcf/0x210 ? stack_trace_save+0x90/0xd0 ? filter_irq_stacks+0x1c/0x70 ? __stack_depot_save+0x39/0x4e0 ? __kasan_slab_free+0x10a/0x190 ? kmem_cache_free+0x9c/0x340 ? netlink_recvmsg+0x23c/0x660 ? sock_recvmsg+0xeb/0xf0 ? __sys_recvfrom+0x13c/0x1f0 ? __x64_sys_recvfrom+0x71/0x90 ? do_syscall_64+0x3f/0x90 ? entry_SYSCALL_64_after_hwframe+0x72/0xdc ? copyout+0x3e/0x50 netlink_rcv_skb+0xd6/0x210 ? __pfx_xfrm_user_rcv_msg+0x10/0x10 ? __pfx_netlink_rcv_skb+0x10/0x10 ? __pfx_sock_has_perm+0x10/0x10 ? mutex_lock+0x8d/0xe0 ? __pfx_mutex_lock+0x10/0x10 xfrm_netlink_rcv+0x44/0x50 netlink_unicast+0x36f/0x4c0 ? __pfx_netlink_unicast+0x10/0x10 ? netlink_recvmsg+0x500/0x660 netlink_sendmsg+0x3b7/0x700 This Null-ptr-deref bug is assigned CVE-2023-3772. And this commit adds additional NULL check in xfrm_update_ae_params to fix the NPD.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2025-09-16	—	0.02%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2025-09-16

—

0.02%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
5.5	3.1	MEDIUM	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:N) Doesn’t really leak secrets in a meaningful way. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	1.8	3.6	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

5.5

3.1

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Click to expand

Attack vector (AV:L): They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L): A normal user session is enough; they don’t have to be admin.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N): Doesn’t really leak secrets in a meaningful way.
Integrity (I:N): Data isn’t meaningfully altered or forged.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

1.8

3.6

[email protected]

OS Trackers for CVE-2023-53147

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2023-53147 not yet assigned priority: Debian including 1 source packages (linux), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.	https://security-tracker.debian.org/tracker/CVE-2023-53147
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2023-53147
`suse`	medium	—	https://www.suse.com/security/cve/CVE-2023-53147/
`ubuntu`	medium	CVE-2023-53147 medium priority: Ubuntu including 158 source packages (linux, linux-allwinner-5.19, …), 1414 status rows across 9 suites (bionic, focal, jammy, noble, plucky, questing, trusty, upstream, xenial): DNE 1017, released 160, ignored 159, not-affected 77, needs-triage 1.	https://ubuntu.com/security/CVE-2023-53147

Affected software / configurations for CVE-2023-53147

Vendor	Product	Version	Raw CPE
linux	linux_kernel	>= 2.6.39, < 4.14.324	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 4.15, < 4.19.293	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 4.20, < 5.4.255	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 5.5, < 5.10.192	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 5.11, < 5.15.128	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 5.16, < 6.1.47	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.2, < 6.4.12	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	6.5	cpe:2.3:o:linux:linux_kernel:6.5:rc1::::::
linux	linux_kernel	6.5	cpe:2.3:o:linux:linux_kernel:6.5:rc2::::::
linux	linux_kernel	6.5	cpe:2.3:o:linux:linux_kernel:6.5:rc3::::::
linux	linux_kernel	6.5	cpe:2.3:o:linux:linux_kernel:6.5:rc4::::::
linux	linux_kernel	6.5	cpe:2.3:o:linux:linux_kernel:6.5:rc5::::::
linux	linux_kernel	6.5	cpe:2.3:o:linux:linux_kernel:6.5:rc6::::::

References for CVE-2023-53147

URL	Tags
https://git.kernel.org/stable/c/00374d9b6d9f932802b55181be9831aa948e5b7c	Patch
https://git.kernel.org/stable/c/075448a2eb753f813fe873cfa52853e9fef8eedb	Patch
https://git.kernel.org/stable/c/44f69c96f8a147413c23c68cda4d6fb5e23137cd	Patch
https://git.kernel.org/stable/c/53df4be4f5221e90dc7aa9ce745a9a21bb7024f4	Patch
https://git.kernel.org/stable/c/8046beb890ebc83c5820188c650073e1c6066e67	Patch
https://git.kernel.org/stable/c/87b655f4936b6fc01f3658aa88a22c923b379ebd	Patch
https://git.kernel.org/stable/c/bd30aa9c7febb6e709670cd5154194189ca3b7b5	Patch
https://git.kernel.org/stable/c/ed1cba039309c80b49719fcff3e3d7cdddb73d96	Patch

URL

CVE-2023-53147 | xfrm: add NULL check in xfrm_update_ae_params

Exploit prediction scoring system (EPSS) score for CVE-2023-53147

Common vulnerability scoring system (CVSS) metrics for CVE-2023-53147

Weakness enumeration for CVE-2023-53147

OS Trackers for CVE-2023-53147

Affected software / configurations for CVE-2023-53147

References for CVE-2023-53147