CVE-2023-53068: net: usb: lan78xx: Limit packet length to skb->len
In the Linux kernel, the following vulnerability has been resolved:
net: usb: lan78xx: Limit packet length to skb->len
Packet length retrieved from descriptor may be larger than
the actual socket buffer length. In such case the cloned
skb passed up the network stack will leak kernel memory contents.
Additionally prevent integer underflow when size is less than
ETH_FCS_LEN.
Security readout for executives and security teams
Plain-English summary
CVE-2023-53068 is a Linux kernel information leak in the lan78xx USB Ethernet driver. A packet descriptor can claim more data than the socket buffer actually holds, causing kernel memory contents to be passed upward in network handling. The public bundle does not provide a CVSS score or exploitation evidence.
Executive priority
Prioritize normal kernel patch management, with faster handling for systems that use LAN78xx USB Ethernet. Current public evidence does not support emergency internet-wide action, but kernel memory disclosure bugs deserve timely remediation because exposed data may be sensitive.
Technical view
The lan78xx driver used a packet length from a descriptor without limiting it to skb->len. When the descriptor length exceeded the real buffer length, a cloned skb could expose adjacent kernel memory. The fix also prevents integer underflow when size is smaller than ETH_FCS_LEN.
Likely exposure
Exposure appears limited to Linux systems running affected kernel versions and using the lan78xx USB Ethernet driver. The bundle lists upstream stable fixes, but does not provide a complete distribution package matrix or hardware deployment scope.
Exploitation context
The source bundle says this is not in KEV and provides no cited evidence of active exploitation. It also does not include attacker prerequisites, proof-of-concept details, or observed abuse. Treat exploitation status as unproven from the provided sources.
Researcher notes
The key evidence is the upstream Linux fix description: descriptor packet length may exceed skb->len, leaking kernel memory through cloned skb handling. Severity metadata is incomplete, with no CVSS or CWE in the bundle. Validate exposure against actual driver use, not Linux presence alone.
Mitigation direction
Check Linux distribution advisories for kernels containing the upstream stable fixes.
Update affected Linux kernels through the normal vendor-supported channel.
Prioritize systems using LAN78xx USB Ethernet adapters or loading the lan78xx driver.
Track vendor backports because package versions may differ from upstream kernel versions.
If patching is delayed, follow vendor guidance for temporary exposure reduction.
Validation and detection
Inventory Linux hosts for affected kernel versions and lan78xx driver usage.
Confirm whether vendor kernel packages include the referenced stable commits.
Review asset data for USB Ethernet adapters relying on the LAN78xx chipset family.
Verify patched hosts no longer map to the affected upstream version range.
Document any systems awaiting vendor fixes or operational maintenance windows.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2023-53068 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
4Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
May 2, 2025, 15:55 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.