{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2023-53556","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-10-04T15:14:15.922Z","datePublished":"2025-10-04T15:17:01.238Z","dateUpdated":"2026-05-11T19:47:15.477Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:47:15.477Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\niavf: Fix use-after-free in free_netdev\n\nWe do netif_napi_add() for all allocated q_vectors[], but potentially\ndo netif_napi_del() for part of them, then kfree q_vectors and leave\ninvalid pointers at dev->napi_list.\n\nReproducer:\n\n  [root@host ~]# cat repro.sh\n  #!/bin/bash\n\n  pf_dbsf=\"0000:41:00.0\"\n  vf0_dbsf=\"0000:41:02.0\"\n  g_pids=()\n\n  function do_set_numvf()\n  {\n      echo 2 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs\n      sleep $((RANDOM%3+1))\n      echo 0 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs\n      sleep $((RANDOM%3+1))\n  }\n\n  function do_set_channel()\n  {\n      local nic=$(ls -1 --indicator-style=none /sys/bus/pci/devices/${vf0_dbsf}/net/)\n      [ -z \"$nic\" ] && { sleep $((RANDOM%3)) ; return 1; }\n      ifconfig $nic 192.168.18.5 netmask 255.255.255.0\n      ifconfig $nic up\n      ethtool -L $nic combined 1\n      ethtool -L $nic combined 4\n      sleep $((RANDOM%3))\n  }\n\n  function on_exit()\n  {\n      local pid\n      for pid in \"${g_pids[@]}\"; do\n          kill -0 \"$pid\" &>/dev/null && kill \"$pid\" &>/dev/null\n      done\n      g_pids=()\n  }\n\n  trap \"on_exit; exit\" EXIT\n\n  while :; do do_set_numvf ; done &\n  g_pids+=($!)\n  while :; do do_set_channel ; done &\n  g_pids+=($!)\n\n  wait\n\nResult:\n\n[ 4093.900222] ==================================================================\n[ 4093.900230] BUG: KASAN: use-after-free in free_netdev+0x308/0x390\n[ 4093.900232] Read of size 8 at addr ffff88b4dc145640 by task repro.sh/6699\n[ 4093.900233]\n[ 4093.900236] CPU: 10 PID: 6699 Comm: repro.sh Kdump: loaded Tainted: G           O     --------- -t - 4.18.0 #1\n[ 4093.900238] Hardware name: Powerleader PR2008AL/H12DSi-N6, BIOS 2.0 04/09/2021\n[ 4093.900239] Call Trace:\n[ 4093.900244]  dump_stack+0x71/0xab\n[ 4093.900249]  print_address_description+0x6b/0x290\n[ 4093.900251]  ? free_netdev+0x308/0x390\n[ 4093.900252]  kasan_report+0x14a/0x2b0\n[ 4093.900254]  free_netdev+0x308/0x390\n[ 4093.900261]  iavf_remove+0x825/0xd20 [iavf]\n[ 4093.900265]  pci_device_remove+0xa8/0x1f0\n[ 4093.900268]  device_release_driver_internal+0x1c6/0x460\n[ 4093.900271]  pci_stop_bus_device+0x101/0x150\n[ 4093.900273]  pci_stop_and_remove_bus_device+0xe/0x20\n[ 4093.900275]  pci_iov_remove_virtfn+0x187/0x420\n[ 4093.900277]  ? pci_iov_add_virtfn+0xe10/0xe10\n[ 4093.900278]  ? pci_get_subsys+0x90/0x90\n[ 4093.900280]  sriov_disable+0xed/0x3e0\n[ 4093.900282]  ? bus_find_device+0x12d/0x1a0\n[ 4093.900290]  i40e_free_vfs+0x754/0x1210 [i40e]\n[ 4093.900298]  ? i40e_reset_all_vfs+0x880/0x880 [i40e]\n[ 4093.900299]  ? pci_get_device+0x7c/0x90\n[ 4093.900300]  ? pci_get_subsys+0x90/0x90\n[ 4093.900306]  ? pci_vfs_assigned.part.7+0x144/0x210\n[ 4093.900309]  ? __mutex_lock_slowpath+0x10/0x10\n[ 4093.900315]  i40e_pci_sriov_configure+0x1fa/0x2e0 [i40e]\n[ 4093.900318]  sriov_numvfs_store+0x214/0x290\n[ 4093.900320]  ? sriov_totalvfs_show+0x30/0x30\n[ 4093.900321]  ? __mutex_lock_slowpath+0x10/0x10\n[ 4093.900323]  ? __check_object_size+0x15a/0x350\n[ 4093.900326]  kernfs_fop_write+0x280/0x3f0\n[ 4093.900329]  vfs_write+0x145/0x440\n[ 4093.900330]  ksys_write+0xab/0x160\n[ 4093.900332]  ? __ia32_sys_read+0xb0/0xb0\n[ 4093.900334]  ? fput_many+0x1a/0x120\n[ 4093.900335]  ? filp_close+0xf0/0x130\n[ 4093.900338]  do_syscall_64+0xa0/0x370\n[ 4093.900339]  ? page_fault+0x8/0x30\n[ 4093.900341]  entry_SYSCALL_64_after_hwframe+0x65/0xca\n[ 4093.900357] RIP: 0033:0x7f16ad4d22c0\n[ 4093.900359] Code: 73 01 c3 48 8b 0d d8 cb 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 24 2d 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 fe dd 01 00 48 89 04 24\n[ 4093.900360] RSP: 002b:00007ffd6491b7f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n[ 4093.900362] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f16ad4d22c0\n[ 4093.900363] RDX: 0000000000000002 RSI: 0000000001a41408 RDI: 0000000000000001\n[ 4093.900364] RBP: 0000000001a41408 R08: 00007f16ad7a1780 R09: 00007f16ae1f2700\n[ 4093.9003\n---truncated---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/ethernet/intel/iavf/iavf_main.c"],"versions":[{"version":"5eae00c57f5e42bf201023471917da213c4946d6","lessThan":"17046107ca15d7571551539d94e76aba2bf71fd3","status":"affected","versionType":"git"},{"version":"5eae00c57f5e42bf201023471917da213c4946d6","lessThan":"a4635f190f332304db4a49e827ece790b804b5db","status":"affected","versionType":"git"},{"version":"5eae00c57f5e42bf201023471917da213c4946d6","lessThan":"345c44e18cc10cded85cb9134830e1684495c866","status":"affected","versionType":"git"},{"version":"5eae00c57f5e42bf201023471917da213c4946d6","lessThan":"ca12b98e04b5d1902ac08fe826d3500cb4b6e891","status":"affected","versionType":"git"},{"version":"5eae00c57f5e42bf201023471917da213c4946d6","lessThan":"8d781a9c53034813c3194b7d94409c7d24ac73eb","status":"affected","versionType":"git"},{"version":"5eae00c57f5e42bf201023471917da213c4946d6","lessThan":"5f4fa1672d98fe99d2297b03add35346f1685d6b","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/ethernet/intel/iavf/iavf_main.c"],"versions":[{"version":"3.14","status":"affected"},{"version":"0","lessThan":"3.14","status":"unaffected","versionType":"semver"},{"version":"5.4.251","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.188","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.123","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.42","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.4.7","lessThanOrEqual":"6.4.*","status":"unaffected","versionType":"semver"},{"version":"6.5","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.14","versionEndExcluding":"5.4.251"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.14","versionEndExcluding":"5.10.188"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.14","versionEndExcluding":"5.15.123"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.14","versionEndExcluding":"6.1.42"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.14","versionEndExcluding":"6.4.7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.14","versionEndExcluding":"6.5"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/17046107ca15d7571551539d94e76aba2bf71fd3"},{"url":"https://git.kernel.org/stable/c/a4635f190f332304db4a49e827ece790b804b5db"},{"url":"https://git.kernel.org/stable/c/345c44e18cc10cded85cb9134830e1684495c866"},{"url":"https://git.kernel.org/stable/c/ca12b98e04b5d1902ac08fe826d3500cb4b6e891"},{"url":"https://git.kernel.org/stable/c/8d781a9c53034813c3194b7d94409c7d24ac73eb"},{"url":"https://git.kernel.org/stable/c/5f4fa1672d98fe99d2297b03add35346f1685d6b"}],"title":"iavf: Fix use-after-free in free_netdev","x_generator":{"engine":"bippy-1.2.0"}}}}