{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2023-53667","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-10-07T15:16:59.662Z","datePublished":"2025-10-07T15:21:25.185Z","dateUpdated":"2026-05-11T19:49:35.341Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:49:35.341Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: cdc_ncm: Deal with too low values of dwNtbOutMaxSize\n\nCurrently in cdc_ncm_check_tx_max(), if dwNtbOutMaxSize is lower than\nthe calculated \"min\" value, but greater than zero, the logic sets\ntx_max to dwNtbOutMaxSize. This is then used to allocate a new SKB in\ncdc_ncm_fill_tx_frame() where all the data is handled.\n\nFor small values of dwNtbOutMaxSize the memory allocated during\nalloc_skb(dwNtbOutMaxSize, GFP_ATOMIC) will have the same size, due to\nhow size is aligned at alloc time:\n\tsize = SKB_DATA_ALIGN(size);\n        size += SKB_DATA_ALIGN(sizeof(struct skb_shared_info));\nThus we hit the same bug that we tried to squash with\ncommit 2be6d4d16a084 (\"net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero\")\n\nLow values of dwNtbOutMaxSize do not cause an issue presently because at\nalloc_skb() time more memory (512b) is allocated than required for the\nSKB headers alone (320b), leaving some space (512b - 320b = 192b)\nfor CDC data (172b).\n\nHowever, if more elements (for example 3 x u64 = [24b]) were added to\none of the SKB header structs, say 'struct skb_shared_info',\nincreasing its original size (320b [320b aligned]) to something larger\n(344b [384b aligned]), then suddenly the CDC data (172b) no longer\nfits in the spare SKB data area (512b - 384b = 128b).\n\nConsequently the SKB bounds checking semantics fails and panics:\n\nskbuff: skb_over_panic: text:ffffffff831f755b len:184 put:172 head:ffff88811f1c6c00 data:ffff88811f1c6c00 tail:0xb8 end:0x80 dev:<NULL>\n------------[ cut here ]------------\nkernel BUG at net/core/skbuff.c:113!\ninvalid opcode: 0000 [#1] PREEMPT SMP KASAN\nCPU: 0 PID: 57 Comm: kworker/0:2 Not tainted 5.15.106-syzkaller-00249-g19c0ed55a470 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023\nWorkqueue: mld mld_ifc_work\nRIP: 0010:skb_panic net/core/skbuff.c:113 [inline]\nRIP: 0010:skb_over_panic+0x14c/0x150 net/core/skbuff.c:118\n[snip]\nCall Trace:\n <TASK>\n skb_put+0x151/0x210 net/core/skbuff.c:2047\n skb_put_zero include/linux/skbuff.h:2422 [inline]\n cdc_ncm_ndp16 drivers/net/usb/cdc_ncm.c:1131 [inline]\n cdc_ncm_fill_tx_frame+0x11ab/0x3da0 drivers/net/usb/cdc_ncm.c:1308\n cdc_ncm_tx_fixup+0xa3/0x100\n\nDeal with too low values of dwNtbOutMaxSize, clamp it in the range\n[USB_CDC_NCM_NTB_MIN_OUT_SIZE, CDC_NCM_NTB_MAX_SIZE_TX]. We ensure\nenough data space is allocated to handle CDC data by making sure\ndwNtbOutMaxSize is not smaller than USB_CDC_NCM_NTB_MIN_OUT_SIZE."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/usb/cdc_ncm.c"],"versions":[{"version":"289507d3364f96f4b8814726917d572f71350d87","lessThan":"2334ff0b343ba6ba7a6c0586fcc83992bbbc1776","status":"affected","versionType":"git"},{"version":"289507d3364f96f4b8814726917d572f71350d87","lessThan":"bf415bfe7573596ac213b4fd1da9e62cfc9a9413","status":"affected","versionType":"git"},{"version":"289507d3364f96f4b8814726917d572f71350d87","lessThan":"ff484163dfb61b58f23e4dbd007de1094427669c","status":"affected","versionType":"git"},{"version":"289507d3364f96f4b8814726917d572f71350d87","lessThan":"42b78c8cc774b47023d6d16d96d54cc7015e4a07","status":"affected","versionType":"git"},{"version":"289507d3364f96f4b8814726917d572f71350d87","lessThan":"9be921854e983a81a0aeeae5febcd87093086e46","status":"affected","versionType":"git"},{"version":"289507d3364f96f4b8814726917d572f71350d87","lessThan":"6147745d43ff4e0d2c542e5b93e398ef0ee4db00","status":"affected","versionType":"git"},{"version":"289507d3364f96f4b8814726917d572f71350d87","lessThan":"72d0240b0ee4794efc683975c213e4b384fea733","status":"affected","versionType":"git"},{"version":"289507d3364f96f4b8814726917d572f71350d87","lessThan":"7e01c7f7046efc2c7c192c3619db43292b98e997","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/usb/cdc_ncm.c"],"versions":[{"version":"3.16","status":"affected"},{"version":"0","lessThan":"3.16","status":"unaffected","versionType":"semver"},{"version":"4.14.317","lessThanOrEqual":"4.14.*","status":"unaffected","versionType":"semver"},{"version":"4.19.285","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.245","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.181","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.114","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.31","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.3.5","lessThanOrEqual":"6.3.*","status":"unaffected","versionType":"semver"},{"version":"6.4","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.16","versionEndExcluding":"4.14.317"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.16","versionEndExcluding":"4.19.285"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.16","versionEndExcluding":"5.4.245"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.16","versionEndExcluding":"5.10.181"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.16","versionEndExcluding":"5.15.114"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.16","versionEndExcluding":"6.1.31"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.16","versionEndExcluding":"6.3.5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.16","versionEndExcluding":"6.4"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2334ff0b343ba6ba7a6c0586fcc83992bbbc1776"},{"url":"https://git.kernel.org/stable/c/bf415bfe7573596ac213b4fd1da9e62cfc9a9413"},{"url":"https://git.kernel.org/stable/c/ff484163dfb61b58f23e4dbd007de1094427669c"},{"url":"https://git.kernel.org/stable/c/42b78c8cc774b47023d6d16d96d54cc7015e4a07"},{"url":"https://git.kernel.org/stable/c/9be921854e983a81a0aeeae5febcd87093086e46"},{"url":"https://git.kernel.org/stable/c/6147745d43ff4e0d2c542e5b93e398ef0ee4db00"},{"url":"https://git.kernel.org/stable/c/72d0240b0ee4794efc683975c213e4b384fea733"},{"url":"https://git.kernel.org/stable/c/7e01c7f7046efc2c7c192c3619db43292b98e997"}],"title":"net: cdc_ncm: Deal with too low values of dwNtbOutMaxSize","x_generator":{"engine":"bippy-1.2.0"}}}}