In the Linux kernel, the following vulnerability has been resolved:

net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment()

As the call trace shows, skb_panic was caused by wrong skb->mac_header
in nsh_gso_segment():

invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 3 PID: 2737 Comm: syz Not tainted 6.3.0-next-20230505 #1
RIP: 0010:skb_panic+0xda/0xe0
call Trace:
skb_push+0x91/0xa0
nsh_gso_segment+0x4f3/0x570
skb_mac_gso_segment+0x19e/0x270
__skb_gso_segment+0x1e8/0x3c0
validate_xmit_skb+0x452/0x890
validate_xmit_skb_list+0x99/0xd0
sch_direct_xmit+0x294/0x7c0
__dev_queue_xmit+0x16f0/0x1d70
packet_xmit+0x185/0x210
packet_snd+0xc15/0x1170
packet_sendmsg+0x7b/0xa0
sock_sendmsg+0x14f/0x160

The root cause is:
nsh_gso_segment() use skb->network_header - nhoff to reset mac_header
in skb_gso_error_unwind() if inner-layer protocol gso fails.
However, skb->network_header may be reset by inner-layer protocol
gso function e.g. mpls_gso_segment. skb->mac_header reset by the
inaccurate network_header will be larger than skb headroom.

nsh_gso_segment
nhoff = skb->network_header - skb->mac_header;
__skb_pull(skb,nsh_len)
skb_mac_gso_segment
mpls_gso_segment
skb_reset_network_header(skb);//skb->network_header+=nsh_len
return -EINVAL;
skb_gso_error_unwind
skb_push(skb, nsh_len);
skb->mac_header = skb->network_header - nhoff;
// skb->mac_header > skb->headroom, cause skb_push panic

Use correct mac_offset to restore mac_header and get rid of nhoff.

Metrics

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Linux Subscribe
Linux Kernel Subscribe

No data.

No data.

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
https://git.kernel.org/stable/c/02b20e0bc0c2628539e9e518dc342787c3332de2 cve-icon cve-icon
https://git.kernel.org/stable/c/2f88c8d38ecf5ed0273f99a067246899ba499eb2 cve-icon cve-icon
https://git.kernel.org/stable/c/435855b0831b351cb72cb38369ee33122ce9574c cve-icon cve-icon
https://git.kernel.org/stable/c/6fbedf987b6b8ed54a50e2205d998eb2c8be72f9 cve-icon cve-icon
https://git.kernel.org/stable/c/c83b49383b595be50647f0c764a48c78b5f3c4f8 cve-icon cve-icon
https://git.kernel.org/stable/c/cb38e62922aa3991793344b5a5870e7291c74a44 cve-icon cve-icon
https://git.kernel.org/stable/c/cdd8160dcda1fed2028a5f96575a84afc23aff7d cve-icon cve-icon
https://git.kernel.org/stable/c/d2309e0cb27b6871b273fbc1725e93be62570d86 cve-icon cve-icon
https://lore.kernel.org/linux-cve-announce/2025122414-CVE-2023-54114-8362@gregkh/T cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2023-54114 cve-icon
https://www.cve.org/CVERecord?id=CVE-2023-54114 cve-icon
History

Thu, 25 Dec 2025 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Wed, 24 Dec 2025 13:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment() As the call trace shows, skb_panic was caused by wrong skb->mac_header in nsh_gso_segment(): invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 3 PID: 2737 Comm: syz Not tainted 6.3.0-next-20230505 #1 RIP: 0010:skb_panic+0xda/0xe0 call Trace: skb_push+0x91/0xa0 nsh_gso_segment+0x4f3/0x570 skb_mac_gso_segment+0x19e/0x270 __skb_gso_segment+0x1e8/0x3c0 validate_xmit_skb+0x452/0x890 validate_xmit_skb_list+0x99/0xd0 sch_direct_xmit+0x294/0x7c0 __dev_queue_xmit+0x16f0/0x1d70 packet_xmit+0x185/0x210 packet_snd+0xc15/0x1170 packet_sendmsg+0x7b/0xa0 sock_sendmsg+0x14f/0x160 The root cause is: nsh_gso_segment() use skb->network_header - nhoff to reset mac_header in skb_gso_error_unwind() if inner-layer protocol gso fails. However, skb->network_header may be reset by inner-layer protocol gso function e.g. mpls_gso_segment. skb->mac_header reset by the inaccurate network_header will be larger than skb headroom. nsh_gso_segment nhoff = skb->network_header - skb->mac_header; __skb_pull(skb,nsh_len) skb_mac_gso_segment mpls_gso_segment skb_reset_network_header(skb);//skb->network_header+=nsh_len return -EINVAL; skb_gso_error_unwind skb_push(skb, nsh_len); skb->mac_header = skb->network_header - nhoff; // skb->mac_header > skb->headroom, cause skb_push panic Use correct mac_offset to restore mac_header and get rid of nhoff.
Title net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2025-12-24T13:06:36.214Z

Reserved: 2025-12-24T13:02:52.519Z

Link: CVE-2023-54114

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2025-12-24T13:16:13.323

Modified: 2025-12-24T13:16:13.323

Link: CVE-2023-54114

cve-icon Redhat

Severity : Low

Publid Date: 2025-12-24T00:00:00Z

Links: CVE-2023-54114 - Bugzilla

cve-icon OpenCVE Enrichment

No data.

Weaknesses

No weakness.