LiveActive security incident?Get immediate response
CVE Record

CVE-2023-53698: xsk: fix refcount underflow in error path

In the Linux kernel, the following vulnerability has been resolved: xsk: fix refcount underflow in error path Fix a refcount underflow problem reported by syzbot that can happen when a system is running out of memory. If xp_alloc_tx_descs() fails, and it can only fail due to not having enough memory, then the error path is triggered. In this error path, the refcount of the pool is decremented as it has incremented before. However, the reference to the pool in the socket was not nulled. This means that when the socket is closed later, the socket teardown logic will think that there is a pool attached to the socket and try to decrease the refcount again, leading to a refcount underflow. I chose this fix as it involved adding just a single line. Another option would have been to move xp_get_pool() and the assignment of xs->pool to after the if-statement and using xs_umem->pool instead of xs->pool in the whole if-statement resulting in somewhat simpler code, but this would have led to much more churn in the code base perhaps making it harder to backport.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

This is a Linux kernel bug in AF_XDP socket setup. Under memory pressure, a failed allocation can leave a stale pool pointer, causing the pool reference count to be decremented twice when the socket closes. The public record does not state a concrete impact, CVSS score, or active exploitation.

Executive priority

Treat this as a kernel maintenance issue with uncertain business impact. Prioritize normal patch cycles, escalating for internet-facing packet-processing infrastructure, multi-tenant systems, or hosts running untrusted local code. No source in the bundle supports emergency response for active exploitation.

Technical view

In the xsk error path, xp_alloc_tx_descs() can fail during out-of-memory conditions after xp_get_pool() increments a pool refcount. Because xs->pool was not cleared, socket teardown later decrements the same pool again, causing refcount underflow. Stable kernel commits add the missing cleanup behavior.

Likely exposure

Exposure is limited to Linux systems with affected kernel builds containing the AF_XDP/xsk bug. The source lists Linux kernel versions and stable commits, but exact distro package exposure is not provided. Systems using packet-processing stacks, containers, or local workloads may need closer review.

Exploitation context

The source attributes discovery to syzbot and describes an out-of-memory-triggered error path. It does not provide exploit status, proof of exploitation, or a confirmed impact class. KEV is false, so there is no cited evidence here of active exploitation.

Researcher notes

Evidence is strongest for root cause and fix, not real-world exploitability. The bug depends on an allocation failure path and stale xs->pool state during teardown. Further assessment should focus on reachable AF_XDP use, required privileges, and distro-specific patch status.

Mitigation direction

  • Update to a vendor-supported kernel containing the referenced stable fixes.
  • Check Linux distribution advisories for backported fixes and package names.
  • Prioritize hosts using AF_XDP, high-performance networking, or untrusted local workloads.
  • Track kernel versions 5.15, 5.17, 5.18, 6.1, 6.4, and 6.5 carefully.
  • If no vendor package exists, follow official vendor guidance before applying custom kernels.

Validation and detection

  • Inventory running kernel versions across servers, appliances, and container hosts.
  • Map distro kernel packages to the referenced upstream stable commits.
  • Review whether AF_XDP/xsk functionality is enabled or used in production.
  • Confirm patched systems are running the updated kernel after reboot.
  • Monitor kernel logs for refcount warnings or instability under memory pressure.
Prepared
Confidence
medium
Sources
6

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2023-53698 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
0ADP providers
5Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxf7019562f142bc041f9cde63af338d1886585923, ba3beec2ec1d3b4fd8672ca6e781dac4b3267f6e, ba3beec2ec1d3b4fd8672ca6e781dac4b3267f6e, ba3beec2ec1d3b4fd8672ca6e781dac4b3267f6e, 9f0c8a9d4ef1b9ebee0e4ac2495fe790727044aa, 5.15.47, 5.17.15unaffected
LinuxLinux5.18, 0, 5.15.127, 6.1.46, 6.4.11, 6.5affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.