CVE-2023-53590: sctp: add a refcnt in sctp_stream_priorities to avoid a nested loop
In the Linux kernel, the following vulnerability has been resolved:
sctp: add a refcnt in sctp_stream_priorities to avoid a nested loop
With this refcnt added in sctp_stream_priorities, we don't need to
traverse all streams to check if the prio is used by other streams
when freeing one stream's prio in sctp_sched_prio_free_sid(). This
can avoid a nested loop (up to 65535 * 65535), which may cause a
stuck as Ying reported:
watchdog: BUG: soft lockup - CPU#23 stuck for 26s! [ksoftirqd/23:136]
Call Trace:
<TASK>
sctp_sched_prio_free_sid+0xab/0x100 [sctp]
sctp_stream_free_ext+0x64/0xa0 [sctp]
sctp_stream_free+0x31/0x50 [sctp]
sctp_association_free+0xa5/0x200 [sctp]
Note that it doesn't need to use refcount_t type for this counter,
as its accessing is always protected under the sock lock.
v1->v2:
- add a check in sctp_sched_prio_set to avoid the possible prio_head
refcnt overflow.
Security readout for executives and security teams
Plain-English summary
This is a Linux kernel SCTP issue that can make a CPU spend excessive time freeing stream priority data, causing a soft lockup. The business impact is likely availability degradation rather than data theft. Severity is not scored in the provided record, so prioritize based on SCTP exposure and kernel version.
Executive priority
Treat as a targeted availability risk. Patch through normal kernel maintenance, faster for internet-facing or SCTP-dependent systems. Current evidence does not support emergency handling for all Linux estates.
Technical view
The SCTP scheduler priority cleanup path could traverse streams in a nested loop up to 65535 by 65535. The fix adds a reference counter in sctp_stream_priorities, protected by the socket lock, and adds an overflow check in sctp_sched_prio_set.
Likely exposure
Exposure is limited to Linux systems using affected kernel builds with SCTP available or in use. The CVE record lists Linux kernel versions and stable commits, but distribution backports must be checked before declaring a host vulnerable.
Exploitation context
The source describes a reported soft lockup in ksoftirqd during SCTP association cleanup. It does not state active exploitation, remote exploitability, authentication requirements, or public exploit availability. KEV status is false in the provided bundle.
Researcher notes
The available evidence supports a resource-exhaustion or soft-lockup condition in SCTP cleanup logic. Missing details include CVSS, CWE, exploit prerequisites, and distribution-specific fixed package versions. Avoid assuming exploitability beyond the kernel record.
Mitigation direction
Inventory Linux systems with SCTP enabled or loaded.
Apply vendor kernel updates containing the referenced stable SCTP fixes.
Check distribution advisories for backported fixes before using upstream version numbers.
Where patching is delayed, follow vendor guidance for SCTP exposure reduction.
Validation and detection
Confirm running kernel versions against the CVE affected-version data.
Verify whether SCTP is enabled, loaded, or required on exposed systems.
Check vendor kernel changelogs for the referenced SCTP fix commits.
Review logs for soft lockup messages involving sctp_sched_prio_free_sid.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2023-53590 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
7Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Oct 4, 2025, 15:44 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.