{"id":"CVE-2023-53333","summary":"netfilter: conntrack: dccp: copy entire header to stack buffer, not just basic one","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: conntrack: dccp: copy entire header to stack buffer, not just basic one\n\nEric Dumazet says:\n  nf_conntrack_dccp_packet() has an unique:\n\n  dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);\n\n  And nothing more is 'pulled' from the packet, depending on the content.\n  dh-\u003edccph_doff, and/or dh-\u003edccph_x ...)\n  So dccp_ack_seq() is happily reading stuff past the _dh buffer.\n\nBUG: KASAN: stack-out-of-bounds in nf_conntrack_dccp_packet+0x1134/0x11c0\nRead of size 4 at addr ffff000128f66e0c by task syz-executor.2/29371\n[..]\n\nFix this by increasing the stack buffer to also include room for\nthe extra sequence numbers and all the known dccp packet type headers,\nthen pull again after the initial validation of the basic header.\n\nWhile at it, mark packets invalid that lack 48bit sequence bit but\nwhere RFC says the type MUST use them.\n\nCompile tested only.\n\nv2: first skb_header_pointer() now needs to adjust the size to\n    only pull the generic header. (Eric)\n\nHeads-up: I intend to remove dccp conntrack support later this year.","modified":"2026-04-02T09:44:01.225061Z","published":"2025-09-16T16:12:08.427Z","related":["SUSE-SU-2025:03600-1","SUSE-SU-2025:03613-1","SUSE-SU-2025:03614-1","SUSE-SU-2025:03615-1","SUSE-SU-2025:03626-1","SUSE-SU-2025:03628-1","SUSE-SU-2025:03634-1","SUSE-SU-2025:20851-1","SUSE-SU-2025:20861-1","SUSE-SU-2025:20870-1","SUSE-SU-2025:20898-1","SUSE-SU-2025:3716-1","SUSE-SU-2025:3751-1","SUSE-SU-2025:3761-1","SUSE-SU-2025:4057-1","SUSE-SU-2025:4132-1","SUSE-SU-2025:4141-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53333.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/26bd1f210d3783a691052c51d76bb8a8bbd24c67"},{"type":"WEB","url":"https://git.kernel.org/stable/c/337fdce450637ea663bc816edc2ba81e5cdad02e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5c618daa5038712c4a4ef8923905a2ea1b8836a1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8c0980493beed3a80d6329c44ab293dc8c032927"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9bdcda7abaf22f6453e5b5efb7eb4e524095d5d8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c052797ac36813419ad3bfa54cb8615db4b41f15"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ff0a3a7d52ff7282dbd183e7fc29a1fe386b0c30"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53333.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-53333"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"2bc780499aa33311ec0f3e42624dfaa7be0ade5e"},{"fixed":"337fdce450637ea663bc816edc2ba81e5cdad02e"},{"fixed":"9bdcda7abaf22f6453e5b5efb7eb4e524095d5d8"},{"fixed":"c052797ac36813419ad3bfa54cb8615db4b41f15"},{"fixed":"5c618daa5038712c4a4ef8923905a2ea1b8836a1"},{"fixed":"26bd1f210d3783a691052c51d76bb8a8bbd24c67"},{"fixed":"8c0980493beed3a80d6329c44ab293dc8c032927"},{"fixed":"ff0a3a7d52ff7282dbd183e7fc29a1fe386b0c30"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-53333.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"}]}