LiveActive security incident?Get immediate response
CVE Record

CVE-2023-53549: netfilter: ipset: Rework long task execution when adding/deleting entries

In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: Rework long task execution when adding/deleting entries When adding/deleting large number of elements in one step in ipset, it can take a reasonable amount of time and can result in soft lockup errors. The patch 5f7b51bf09ba ("netfilter: ipset: Limit the maximal range of consecutive elements to add/delete") tried to fix it by limiting the max elements to process at all. However it was not enough, it is still possible that we get hung tasks. Lowering the limit is not reasonable, so the approach in this patch is as follows: rely on the method used at resizing sets and save the state when we reach a smaller internal batch limit, unlock/lock and proceed from the saved state. Thus we can avoid long continuous tasks and at the same time removed the limit to add/delete large number of elements in one step. The nfnl mutex is held during the whole operation which prevents one to issue other ipset commands in parallel.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

This Linux kernel issue is an availability problem in netfilter ipset. Very large add or delete operations can run too long and trigger soft lockup or hung-task conditions. It matters most on Linux hosts or appliances that rely on ipset for firewall or blocklist management. The bundle does not report active exploitation.

Executive priority

Treat as a targeted availability risk, not an emergency based on current evidence. Patch during normal kernel maintenance, with higher priority for firewalls, routers, security appliances, or production hosts that perform bulk ipset updates.

Technical view

The resolved kernel change reworks long ipset add/delete processing. A prior maximum-range limit did not fully prevent hung tasks. The fix saves progress at smaller internal batch limits, unlocks and relocks, then resumes, while the nfnl mutex prevents parallel ipset commands during the operation.

Likely exposure

Exposure is most likely on Linux systems using netfilter ipset with workflows that add or delete large numbers of elements at once. The source bundle lists Linux kernel versions including 5.14, 5.10.163, 5.15.87, 6.0.19, 6.1.5, and 6.2 as affected.

Exploitation context

The provided sources describe a reliability flaw from large ipset operations causing soft lockups or hung tasks. They do not identify remote exploitation, privilege requirements, public exploit code, or confirmed in-the-wild abuse. KEV is false in the bundle.

Researcher notes

Evidence is limited to the CVE description and Linux stable commit references. The bundle gives no CVSS score, CWE, exploit status, or detailed privilege model. Analysis should focus on kernel version mapping, ipset usage, and whether local operational workflows can trigger long-running add/delete tasks.

Mitigation direction

  • Review vendor kernel advisories for fixed builds carrying the referenced stable commits.
  • Prioritize updates on hosts using ipset for large firewall or blocklist operations.
  • Avoid operational jobs that add or delete very large ipset batches until patched.
  • Monitor for soft lockup or hung-task kernel messages during ipset maintenance.

Validation and detection

  • Inventory Linux kernel versions on systems using netfilter ipset.
  • Check whether deployed kernels include the referenced stable fixes.
  • Review automation for bulk ipset add or delete behavior.
  • Search kernel logs for soft lockup or hung-task messages involving ipset.
Prepared
Confidence
medium
Sources
7

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2023-53549 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
0ADP providers
6Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxe62e62ea912a49f7230620f1bdc20410b943a44c, 5f7b51bf09baca8e4f80cbe879536842bafb5f31, 5f7b51bf09baca8e4f80cbe879536842bafb5f31, 5f7b51bf09baca8e4f80cbe879536842bafb5f31, 5f7b51bf09baca8e4f80cbe879536842bafb5f31, e0f824abe0f412f769fb5468b36c2471430bd885, 5.10.157, 5.13.14unaffected
LinuxLinux5.14, 0, 5.10.163, 5.15.87, 6.0.19, 6.1.5, 6.2affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.