LiveActive security incident?Get immediate response
CVE Record

CVE-2023-53590: sctp: add a refcnt in sctp_stream_priorities to avoid a nested loop

In the Linux kernel, the following vulnerability has been resolved: sctp: add a refcnt in sctp_stream_priorities to avoid a nested loop With this refcnt added in sctp_stream_priorities, we don't need to traverse all streams to check if the prio is used by other streams when freeing one stream's prio in sctp_sched_prio_free_sid(). This can avoid a nested loop (up to 65535 * 65535), which may cause a stuck as Ying reported: watchdog: BUG: soft lockup - CPU#23 stuck for 26s! [ksoftirqd/23:136] Call Trace: <TASK> sctp_sched_prio_free_sid+0xab/0x100 [sctp] sctp_stream_free_ext+0x64/0xa0 [sctp] sctp_stream_free+0x31/0x50 [sctp] sctp_association_free+0xa5/0x200 [sctp] Note that it doesn't need to use refcount_t type for this counter, as its accessing is always protected under the sock lock. v1->v2: - add a check in sctp_sched_prio_set to avoid the possible prio_head refcnt overflow.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

This is a Linux kernel SCTP issue that can make a CPU spend excessive time freeing stream priority data, causing a soft lockup. The business impact is likely availability degradation rather than data theft. Severity is not scored in the provided record, so prioritize based on SCTP exposure and kernel version.

Executive priority

Treat as a targeted availability risk. Patch through normal kernel maintenance, faster for internet-facing or SCTP-dependent systems. Current evidence does not support emergency handling for all Linux estates.

Technical view

The SCTP scheduler priority cleanup path could traverse streams in a nested loop up to 65535 by 65535. The fix adds a reference counter in sctp_stream_priorities, protected by the socket lock, and adds an overflow check in sctp_sched_prio_set.

Likely exposure

Exposure is limited to Linux systems using affected kernel builds with SCTP available or in use. The CVE record lists Linux kernel versions and stable commits, but distribution backports must be checked before declaring a host vulnerable.

Exploitation context

The source describes a reported soft lockup in ksoftirqd during SCTP association cleanup. It does not state active exploitation, remote exploitability, authentication requirements, or public exploit availability. KEV status is false in the provided bundle.

Researcher notes

The available evidence supports a resource-exhaustion or soft-lockup condition in SCTP cleanup logic. Missing details include CVSS, CWE, exploit prerequisites, and distribution-specific fixed package versions. Avoid assuming exploitability beyond the kernel record.

Mitigation direction

  • Inventory Linux systems with SCTP enabled or loaded.
  • Apply vendor kernel updates containing the referenced stable SCTP fixes.
  • Check distribution advisories for backported fixes before using upstream version numbers.
  • Where patching is delayed, follow vendor guidance for SCTP exposure reduction.

Validation and detection

  • Confirm running kernel versions against the CVE affected-version data.
  • Verify whether SCTP is enabled, loaded, or required on exposed systems.
  • Check vendor kernel changelogs for the referenced SCTP fix commits.
  • Review logs for soft lockup messages involving sctp_sched_prio_free_sid.
Prepared
Confidence
medium
Sources
8

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2023-53590 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
0ADP providers
7Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxa7555681e50bdebed2c40ff7404ee73c2e932993, 176ee6c673ccd118e9392fd2dbb165423bdb99ca, 0dfb9a566327182387c90100ea54d8426cee8c67, 9ed7bfc79542119ac0a9e1ce8a2a5285e43433e9, 9ed7bfc79542119ac0a9e1ce8a2a5285e43433e9, 9ed7bfc79542119ac0a9e1ce8a2a5285e43433e9, fa20f88271259d42ebe66f0a8c4c20199e888c99, 5.4.226, 5.10.158, 5.15.82, 6.0.12unaffected
LinuxLinux6.1, 0, 5.4.235, 5.10.173, 5.15.100, 6.1.18, 6.2.5, 6.3affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.