{"id":"CVE-2023-52991","summary":"net: fix NULL pointer in skb_segment_list","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix NULL pointer in skb_segment_list\n\nCommit 3a1296a38d0c (\"net: Support GRO/GSO fraglist chaining.\")\nintroduced UDP listifyed GRO. The segmentation relies on frag_list being\nuntouched when passing through the network stack. This assumption can be\nbroken sometimes, where frag_list itself gets pulled into linear area,\nleaving frag_list being NULL. When this happens it can trigger\nfollowing NULL pointer dereference, and panic the kernel. Reverse the\ntest condition should fix it.\n\n[19185.577801][    C1] BUG: kernel NULL pointer dereference, address:\n...\n[19185.663775][    C1] RIP: 0010:skb_segment_list+0x1cc/0x390\n...\n[19185.834644][    C1] Call Trace:\n[19185.841730][    C1]  \u003cTASK\u003e\n[19185.848563][    C1]  __udp_gso_segment+0x33e/0x510\n[19185.857370][    C1]  inet_gso_segment+0x15b/0x3e0\n[19185.866059][    C1]  skb_mac_gso_segment+0x97/0x110\n[19185.874939][    C1]  __skb_gso_segment+0xb2/0x160\n[19185.883646][    C1]  udp_queue_rcv_skb+0xc3/0x1d0\n[19185.892319][    C1]  udp_unicast_rcv_skb+0x75/0x90\n[19185.900979][    C1]  ip_protocol_deliver_rcu+0xd2/0x200\n[19185.910003][    C1]  ip_local_deliver_finish+0x44/0x60\n[19185.918757][    C1]  __netif_receive_skb_one_core+0x8b/0xa0\n[19185.927834][    C1]  process_backlog+0x88/0x130\n[19185.935840][    C1]  __napi_poll+0x27/0x150\n[19185.943447][    C1]  net_rx_action+0x27e/0x5f0\n[19185.951331][    C1]  ? mlx5_cq_tasklet_cb+0x70/0x160 [mlx5_core]\n[19185.960848][    C1]  __do_softirq+0xbc/0x25d\n[19185.968607][    C1]  irq_exit_rcu+0x83/0xb0\n[19185.976247][    C1]  common_interrupt+0x43/0xa0\n[19185.984235][    C1]  asm_common_interrupt+0x22/0x40\n...\n[19186.094106][    C1]  \u003c/TASK\u003e","modified":"2026-04-02T09:43:32.414652Z","published":"2025-03-27T16:43:26.991Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/52xxx/CVE-2023-52991.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/046de74f9af92ae9ffce75fa22a1795223f4fb54"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6446369fb9f083ce032448c5047da08e298b22e6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/876e8ca8366735a604bac86ff7e2732fc9d85d2d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/888dad6f3e85e3b2f8389bd6478f181efc72534d"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/52xxx/CVE-2023-52991.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52991"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"3a1296a38d0cf62bffb9a03c585cbd5dbf15d596"},{"fixed":"6446369fb9f083ce032448c5047da08e298b22e6"},{"fixed":"046de74f9af92ae9ffce75fa22a1795223f4fb54"},{"fixed":"888dad6f3e85e3b2f8389bd6478f181efc72534d"},{"fixed":"876e8ca8366735a604bac86ff7e2732fc9d85d2d"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-52991.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}