{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2023-54262","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-12-30T12:06:44.517Z","datePublished":"2025-12-30T12:15:55.556Z","dateUpdated":"2026-05-11T19:58:34.326Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:58:34.326Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Don't clone flow post action attributes second time\n\nThe code already clones post action attributes in\nmlx5e_clone_flow_attr_for_post_act(). Creating another copy in\nmlx5e_tc_post_act_add() is a erroneous leftover from original\nimplementation. Instead, assign handle->attribute to post_attr provided by\nthe caller. Note that cloning the attribute second time is not just\nwasteful but also causes issues like second copy not being properly updated\nin neigh update code which leads to following use-after-free:\n\nFeb 21 09:02:00 c-237-177-40-045 kernel: BUG: KASAN: use-after-free in mlx5_cmd_set_fte+0x200d/0x24c0 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel:  kasan_report+0xbb/0x1a0\nFeb 21 09:02:00 c-237-177-40-045 kernel:  kasan_save_stack+0x1e/0x40\nFeb 21 09:02:00 c-237-177-40-045 kernel:  kasan_set_track+0x21/0x30\nFeb 21 09:02:00 c-237-177-40-045 kernel:  __kasan_kmalloc+0x7a/0x90\nFeb 21 09:02:00 c-237-177-40-045 kernel:  kasan_save_stack+0x1e/0x40\nFeb 21 09:02:00 c-237-177-40-045 kernel:  kasan_set_track+0x21/0x30\nFeb 21 09:02:00 c-237-177-40-045 kernel:  kasan_save_free_info+0x2a/0x40\nFeb 21 09:02:00 c-237-177-40-045 kernel:  ____kasan_slab_free+0x11a/0x1b0\nFeb 21 09:02:00 c-237-177-40-045 kernel: page dumped because: kasan: bad access detected\nFeb 21 09:02:00 c-237-177-40-045 kernel: mlx5_core 0000:08:00.0: mlx5_cmd_out_err:803:(pid 8833): SET_FLOW_TABLE_ENTRY(0x936) op_mod(0x0) failed, status bad resource state(0x9), syndrome (0xf2ff71), err(-22)\nFeb 21 09:02:00 c-237-177-40-045 kernel: mlx5_core 0000:08:00.0 enp8s0f0: Failed to add post action rule\nFeb 21 09:02:00 c-237-177-40-045 kernel: mlx5_core 0000:08:00.0: mlx5e_tc_encap_flows_add:190:(pid 8833): Failed to update flow post acts, -22\nFeb 21 09:02:00 c-237-177-40-045 kernel: Call Trace:\nFeb 21 09:02:00 c-237-177-40-045 kernel:  <TASK>\nFeb 21 09:02:00 c-237-177-40-045 kernel:  dump_stack_lvl+0x57/0x7d\nFeb 21 09:02:00 c-237-177-40-045 kernel:  print_report+0x170/0x471\nFeb 21 09:02:00 c-237-177-40-045 kernel:  ? mlx5_cmd_set_fte+0x200d/0x24c0 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel:  kasan_report+0xbb/0x1a0\nFeb 21 09:02:00 c-237-177-40-045 kernel:  ? mlx5_cmd_set_fte+0x200d/0x24c0 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel:  mlx5_cmd_set_fte+0x200d/0x24c0 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel:  ? __module_address.part.0+0x62/0x200\nFeb 21 09:02:00 c-237-177-40-045 kernel:  ? mlx5_cmd_stub_create_flow_table+0xd0/0xd0 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel:  ? __raw_spin_lock_init+0x3b/0x110\nFeb 21 09:02:00 c-237-177-40-045 kernel:  mlx5_cmd_create_fte+0x80/0xb0 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel:  add_rule_fg+0xe80/0x19c0 [mlx5_core]\n--\nFeb 21 09:02:00 c-237-177-40-045 kernel: Allocated by task 13476:\nFeb 21 09:02:00 c-237-177-40-045 kernel:  kasan_save_stack+0x1e/0x40\nFeb 21 09:02:00 c-237-177-40-045 kernel:  kasan_set_track+0x21/0x30\nFeb 21 09:02:00 c-237-177-40-045 kernel:  __kasan_kmalloc+0x7a/0x90\nFeb 21 09:02:00 c-237-177-40-045 kernel:  mlx5_packet_reformat_alloc+0x7b/0x230 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel:  mlx5e_tc_tun_create_header_ipv4+0x977/0xf10 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel:  mlx5e_attach_encap+0x15b4/0x1e10 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel:  post_process_attr+0x305/0xa30 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel:  mlx5e_tc_add_fdb_flow+0x4c0/0xcf0 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel:  __mlx5e_add_fdb_flow+0x7cf/0xe90 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel:  mlx5e_configure_flower+0xcaa/0x4b90 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel:  mlx5e_rep_setup_tc_cls_flower+0x99/0x1b0 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel:  mlx5e_rep_setup_tc_cb+0x133/0x1e0 [mlx5_core]\n--\nFeb 21 09:02:00 c-237-177-40-045 kernel: Freed by task 8833:\nFeb 21 09:02:00 c-237-177-40-045 kernel:  kasan_save_s\n---truncated---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/ethernet/mellanox/mlx5/core/en/tc/post_act.c","drivers/net/ethernet/mellanox/mlx5/core/en/tc/post_act.h"],"versions":[{"version":"8300f225268be9ee2c0daf5a3f23929fcdcbf213","lessThan":"c382b693ffcb1f1ebf60d76ab9dedfe9ea13eedf","status":"affected","versionType":"git"},{"version":"8300f225268be9ee2c0daf5a3f23929fcdcbf213","lessThan":"8fd1dac646e6b08d03e3f1ad3c5b34255b1e08e8","status":"affected","versionType":"git"},{"version":"8300f225268be9ee2c0daf5a3f23929fcdcbf213","lessThan":"2d57a514f9ab7d2d40f49b02d93edfcec8c78a9e","status":"affected","versionType":"git"},{"version":"8300f225268be9ee2c0daf5a3f23929fcdcbf213","lessThan":"e9fce818fe003b6c527f25517b9ac08eb4661b5d","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/ethernet/mellanox/mlx5/core/en/tc/post_act.c","drivers/net/ethernet/mellanox/mlx5/core/en/tc/post_act.h"],"versions":[{"version":"5.18","status":"affected"},{"version":"0","lessThan":"5.18","status":"unaffected","versionType":"semver"},{"version":"6.1.28","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.2.15","lessThanOrEqual":"6.2.*","status":"unaffected","versionType":"semver"},{"version":"6.3.2","lessThanOrEqual":"6.3.*","status":"unaffected","versionType":"semver"},{"version":"6.4","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18","versionEndExcluding":"6.1.28"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18","versionEndExcluding":"6.2.15"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18","versionEndExcluding":"6.3.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18","versionEndExcluding":"6.4"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/c382b693ffcb1f1ebf60d76ab9dedfe9ea13eedf"},{"url":"https://git.kernel.org/stable/c/8fd1dac646e6b08d03e3f1ad3c5b34255b1e08e8"},{"url":"https://git.kernel.org/stable/c/2d57a514f9ab7d2d40f49b02d93edfcec8c78a9e"},{"url":"https://git.kernel.org/stable/c/e9fce818fe003b6c527f25517b9ac08eb4661b5d"}],"title":"net/mlx5e: Don't clone flow post action attributes second time","x_generator":{"engine":"bippy-1.2.0"}}}}