CVE-2023-53549: netfilter: ipset: Rework long task execution when adding/deleting entries
In the Linux kernel, the following vulnerability has been resolved:
netfilter: ipset: Rework long task execution when adding/deleting entries
When adding/deleting large number of elements in one step in ipset, it can
take a reasonable amount of time and can result in soft lockup errors. The
patch 5f7b51bf09ba ("netfilter: ipset: Limit the maximal range of
consecutive elements to add/delete") tried to fix it by limiting the max
elements to process at all. However it was not enough, it is still possible
that we get hung tasks. Lowering the limit is not reasonable, so the
approach in this patch is as follows: rely on the method used at resizing
sets and save the state when we reach a smaller internal batch limit,
unlock/lock and proceed from the saved state. Thus we can avoid long
continuous tasks and at the same time removed the limit to add/delete large
number of elements in one step.
The nfnl mutex is held during the whole operation which prevents one to
issue other ipset commands in parallel.
Security readout for executives and security teams
Plain-English summary
This Linux kernel issue is an availability problem in netfilter ipset. Very large add or delete operations can run too long and trigger soft lockup or hung-task conditions. It matters most on Linux hosts or appliances that rely on ipset for firewall or blocklist management. The bundle does not report active exploitation.
Executive priority
Treat as a targeted availability risk, not an emergency based on current evidence. Patch during normal kernel maintenance, with higher priority for firewalls, routers, security appliances, or production hosts that perform bulk ipset updates.
Technical view
The resolved kernel change reworks long ipset add/delete processing. A prior maximum-range limit did not fully prevent hung tasks. The fix saves progress at smaller internal batch limits, unlocks and relocks, then resumes, while the nfnl mutex prevents parallel ipset commands during the operation.
Likely exposure
Exposure is most likely on Linux systems using netfilter ipset with workflows that add or delete large numbers of elements at once. The source bundle lists Linux kernel versions including 5.14, 5.10.163, 5.15.87, 6.0.19, 6.1.5, and 6.2 as affected.
Exploitation context
The provided sources describe a reliability flaw from large ipset operations causing soft lockups or hung tasks. They do not identify remote exploitation, privilege requirements, public exploit code, or confirmed in-the-wild abuse. KEV is false in the bundle.
Researcher notes
Evidence is limited to the CVE description and Linux stable commit references. The bundle gives no CVSS score, CWE, exploit status, or detailed privilege model. Analysis should focus on kernel version mapping, ipset usage, and whether local operational workflows can trigger long-running add/delete tasks.
Mitigation direction
Review vendor kernel advisories for fixed builds carrying the referenced stable commits.
Prioritize updates on hosts using ipset for large firewall or blocklist operations.
Avoid operational jobs that add or delete very large ipset batches until patched.
Monitor for soft lockup or hung-task kernel messages during ipset maintenance.
Validation and detection
Inventory Linux kernel versions on systems using netfilter ipset.
Check whether deployed kernels include the referenced stable fixes.
Review automation for bulk ipset add or delete behavior.
Search kernel logs for soft lockup or hung-task messages involving ipset.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2023-53549 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
6Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Oct 4, 2025, 15:16 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.