CVE-2023-54114 - Vulnerability Details

- net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment()

Description

In the Linux kernel, the following vulnerability has been resolved:

net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment()

As the call trace shows, skb_panic was caused by wrong skb->mac_header
in nsh_gso_segment():

invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 3 PID: 2737 Comm: syz Not tainted 6.3.0-next-20230505 #1
RIP: 0010:skb_panic+0xda/0xe0
call Trace:
skb_push+0x91/0xa0
nsh_gso_segment+0x4f3/0x570
skb_mac_gso_segment+0x19e/0x270
__skb_gso_segment+0x1e8/0x3c0
validate_xmit_skb+0x452/0x890
validate_xmit_skb_list+0x99/0xd0
sch_direct_xmit+0x294/0x7c0
__dev_queue_xmit+0x16f0/0x1d70
packet_xmit+0x185/0x210
packet_snd+0xc15/0x1170
packet_sendmsg+0x7b/0xa0
sock_sendmsg+0x14f/0x160

The root cause is:
nsh_gso_segment() use skb->network_header - nhoff to reset mac_header
in skb_gso_error_unwind() if inner-layer protocol gso fails.
However, skb->network_header may be reset by inner-layer protocol
gso function e.g. mpls_gso_segment. skb->mac_header reset by the
inaccurate network_header will be larger than skb headroom.

nsh_gso_segment
nhoff = skb->network_header - skb->mac_header;
__skb_pull(skb,nsh_len)
skb_mac_gso_segment
mpls_gso_segment
skb_reset_network_header(skb);//skb->network_header+=nsh_len
return -EINVAL;
skb_gso_error_unwind
skb_push(skb, nsh_len);
skb->mac_header = skb->network_header - nhoff;
// skb->mac_header > skb->headroom, cause skb_push panic

Use correct mac_offset to restore mac_header and get rid of nhoff.

Published: 2025-12-24

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`c411ed854584a71b0e86ac3019b60e4789d88086`	affected	< 2f88c8d38ecf5ed0273f99a067246899ba499eb2
`c411ed854584a71b0e86ac3019b60e4789d88086`	affected	< d2309e0cb27b6871b273fbc1725e93be62570d86
`c411ed854584a71b0e86ac3019b60e4789d88086`	affected	< 435855b0831b351cb72cb38369ee33122ce9574c
`c411ed854584a71b0e86ac3019b60e4789d88086`	affected	< 02b20e0bc0c2628539e9e518dc342787c3332de2
`c411ed854584a71b0e86ac3019b60e4789d88086`	affected	< cdd8160dcda1fed2028a5f96575a84afc23aff7d
`c411ed854584a71b0e86ac3019b60e4789d88086`	affected	< 6fbedf987b6b8ed54a50e2205d998eb2c8be72f9
`c411ed854584a71b0e86ac3019b60e4789d88086`	affected	< cb38e62922aa3991793344b5a5870e7291c74a44
`c411ed854584a71b0e86ac3019b60e4789d88086`	affected	< c83b49383b595be50647f0c764a48c78b5f3c4f8

Linux

affected

Version	Status	Constraints
`4.14`	affected	—
`0`	unaffected	< 4.14
`4.14.316`	unaffected	≤ 4.14.*
`4.19.284`	unaffected	≤ 4.19.*
`5.4.244`	unaffected	≤ 5.4.*
`5.10.181`	unaffected	≤ 5.10.*
`5.15.113`	unaffected	≤ 5.15.*
`6.1.30`	unaffected	≤ 6.1.*
`6.3.4`	unaffected	≤ 6.3.*
`6.4`	unaffected	≤ *

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00047.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/02b20e0bc0c2628539e9e518dc342787c3332de2
https://git.kernel.org/stable/c/2f88c8d38ecf5ed0273f99a067246899ba499eb2
https://git.kernel.org/stable/c/435855b0831b351cb72cb38369ee33122ce9574c
https://git.kernel.org/stable/c/6fbedf987b6b8ed54a50e2205d998eb2c8be72f9
https://git.kernel.org/stable/c/c83b49383b595be50647f0c764a48c78b5f3c4f8
https://git.kernel.org/stable/c/cb38e62922aa3991793344b5a5870e7291c74a44
https://git.kernel.org/stable/c/cdd8160dcda1fed2028a5f96575a84afc23aff7d
https://git.kernel.org/stable/c/d2309e0cb27b6871b273fbc1725e93be62570d86
https://lore.kernel.org/linux-cve-announce/2025122414-CVE-2023-54114-8362@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2023-54114
https://www.cve.org/CVERecord?id=CVE-2023-54114

History

Thu, 25 Dec 2025 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2025122414-CVE-2023-54114-8362@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2023-54114 https://www.cve.org/CVERecord?id=CVE-2023-54114
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Wed, 24 Dec 2025 13:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment() As the call trace shows, skb_panic was caused by wrong skb->mac_header in nsh_gso_segment(): invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 3 PID: 2737 Comm: syz Not tainted 6.3.0-next-20230505 #1 RIP: 0010:skb_panic+0xda/0xe0 call Trace: skb_push+0x91/0xa0 nsh_gso_segment+0x4f3/0x570 skb_mac_gso_segment+0x19e/0x270 __skb_gso_segment+0x1e8/0x3c0 validate_xmit_skb+0x452/0x890 validate_xmit_skb_list+0x99/0xd0 sch_direct_xmit+0x294/0x7c0 __dev_queue_xmit+0x16f0/0x1d70 packet_xmit+0x185/0x210 packet_snd+0xc15/0x1170 packet_sendmsg+0x7b/0xa0 sock_sendmsg+0x14f/0x160 The root cause is: nsh_gso_segment() use skb->network_header - nhoff to reset mac_header in skb_gso_error_unwind() if inner-layer protocol gso fails. However, skb->network_header may be reset by inner-layer protocol gso function e.g. mpls_gso_segment. skb->mac_header reset by the inaccurate network_header will be larger than skb headroom. nsh_gso_segment nhoff = skb->network_header - skb->mac_header; __skb_pull(skb,nsh_len) skb_mac_gso_segment mpls_gso_segment skb_reset_network_header(skb);//skb->network_header+=nsh_len return -EINVAL; skb_gso_error_unwind skb_push(skb, nsh_len); skb->mac_header = skb->network_header - nhoff; // skb->mac_header > skb->headroom, cause skb_push panic Use correct mac_offset to restore mac_header and get rid of nhoff.
Title		net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/02b20e0bc0c2628539e9e518dc342787c3332de2 https://git.kernel.org/stable/c/2f88c8d38ecf5ed0273f99a067246899ba499eb2 https://git.kernel.org/stable/c/435855b0831b351cb72cb38369ee33122ce9574c https://git.kernel.org/stable/c/6fbedf987b6b8ed54a50e2205d998eb2c8be72f9 https://git.kernel.org/stable/c/c83b49383b595be50647f0c764a48c78b5f3c4f8 https://git.kernel.org/stable/c/cb38e62922aa3991793344b5a5870e7291c74a44 https://git.kernel.org/stable/c/cdd8160dcda1fed2028a5f96575a84afc23aff7d https://git.kernel.org/stable/c/d2309e0cb27b6871b273fbc1725e93be62570d86

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-12-24T13:06:36.214Z

Updated: 2026-05-11T19:55:44.834Z

Reserved: 2025-12-24T13:02:52.519Z

Link: CVE-2023-54114

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2025-12-24T13:16:13.323

Modified: 2026-04-15T00:35:42.020

Link: CVE-2023-54114

Redhat

Severity : Low

Publid Date: 2025-12-24T00:00:00Z

Links: CVE-2023-54114 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

No weakness.

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object