LiveActive security incident?Get immediate response
CVE Record

CVE-2023-54149: net: dsa: avoid suspicious RCU usage for synced VLAN-aware MAC addresses

In the Linux kernel, the following vulnerability has been resolved: net: dsa: avoid suspicious RCU usage for synced VLAN-aware MAC addresses When using the felix driver (the only one which supports UC filtering and MC filtering) as a DSA master for a random other DSA switch, one can see the following stack trace when the downstream switch ports join a VLAN-aware bridge: ============================= WARNING: suspicious RCU usage ----------------------------- net/8021q/vlan_core.c:238 suspicious rcu_dereference_protected() usage! stack backtrace: Workqueue: dsa_ordered dsa_slave_switchdev_event_work Call trace: lockdep_rcu_suspicious+0x170/0x210 vlan_for_each+0x8c/0x188 dsa_slave_sync_uc+0x128/0x178 __hw_addr_sync_dev+0x138/0x158 dsa_slave_set_rx_mode+0x58/0x70 __dev_set_rx_mode+0x88/0xa8 dev_uc_add+0x74/0xa0 dsa_port_bridge_host_fdb_add+0xec/0x180 dsa_slave_switchdev_event_work+0x7c/0x1c8 process_one_work+0x290/0x568 What it's saying is that vlan_for_each() expects rtnl_lock() context and it's not getting it, when it's called from the DSA master's ndo_set_rx_mode(). The caller of that - dsa_slave_set_rx_mode() - is the slave DSA interface's dsa_port_bridge_host_fdb_add() which comes from the deferred dsa_slave_switchdev_event_work(). We went to great lengths to avoid the rtnl_lock() context in that call path in commit 0faf890fc519 ("net: dsa: drop rtnl_lock from dsa_slave_switchdev_event_work"), and calling rtnl_lock() is simply not an option due to the possibility of deadlocking when calling dsa_flush_workqueue() from the call paths that do hold rtnl_lock() - basically all of them. So, when the DSA master calls vlan_for_each() from its ndo_set_rx_mode(), the state of the 8021q driver on this device is really not protected from concurrent access by anything. Looking at net/8021q/, I don't think that vlan_info->vid_list was particularly designed with RCU traversal in mind, so introducing an RCU read-side form of vlan_for_each() - vlan_for_each_rcu() - won't be so easy, and it also wouldn't be exactly what we need anyway. In general I believe that the solution isn't in net/8021q/ anyway; vlan_for_each() is not cut out for this task. DSA doesn't need rtnl_lock() to be held per se - since it's not a netdev state change that we're blocking, but rather, just concurrent additions/removals to a VLAN list. We don't even need sleepable context - the callback of vlan_for_each() just schedules deferred work. The proposed escape is to remove the dependency on vlan_for_each() and to open-code a non-sleepable, rtnl-free alternative to that, based on copies of the VLAN list modified from .ndo_vlan_rx_add_vid() and .ndo_vlan_rx_kill_vid().

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

This is a Linux kernel networking bug in a specialized switch configuration. It involves unsafe concurrent access around VLAN-aware bridge handling for DSA switches, especially when the felix driver is used as a DSA master. The supplied sources show a kernel warning and a resolved upstream issue, but do not establish active exploitation or business impact severity.

Executive priority

Treat this as targeted infrastructure hygiene rather than an internet-wide emergency. Patch affected network appliances, embedded Linux platforms, or servers using DSA switch hardware, especially where VLAN-aware bridging is deployed. Escalate if these systems are production network control points.

Technical view

The flaw is in Linux DSA MAC address synchronization for VLAN-aware bridges. The call path reaches vlan_for_each() from ndo_set_rx_mode() without rtnl_lock(), leaving 8021q VLAN list state insufficiently protected against concurrent access. The kernel fix avoids vlan_for_each() in this path and tracks VLAN list copies updated through VLAN add and delete callbacks.

Likely exposure

Exposure appears limited to Linux systems using DSA switch infrastructure, particularly felix as a DSA master with downstream switch ports in VLAN-aware bridges. General Linux servers without this switching topology are less likely to be exposed. The bundle provides kernel version metadata but no distro package mapping or CPEs.

Exploitation context

The sources describe a suspicious RCU usage warning and concurrency issue, not a public exploit path. KEV is false in the bundle, and no cited source claims active exploitation. Impact beyond potential kernel networking instability is not established by the provided evidence.

Researcher notes

Evidence is strongest for root cause and upstream fix direction, but weak for exploitability, affected distro packages, and practical impact. The important validation question is whether a system runs the specific DSA/felix/VLAN-aware bridge topology described by the kernel advisory.

Mitigation direction

  • Update to a Linux kernel or vendor package containing the referenced stable fixes.
  • Check distribution advisories for backported fixes matching CVE-2023-54149.
  • Prioritize systems using DSA, felix, and VLAN-aware bridge configurations.
  • Avoid affected DSA/VLAN-aware bridge combinations where operationally feasible until patched.
  • Test network switching and VLAN behavior after applying kernel updates.

Validation and detection

  • Inventory Linux kernels on systems using DSA-managed switch hardware.
  • Confirm whether felix is used as a DSA master in the environment.
  • Review kernel logs for suspicious RCU usage involving vlan_for_each or dsa_slave_sync_uc.
  • Verify vendor kernel changelogs reference CVE-2023-54149 or the stable commits.
  • Validate VLAN-aware bridge behavior in staging after patching.
Prepared
Confidence
medium
Sources
5

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2023-54149 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
0ADP providers
4Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux64fdc5f341db01200e33105265d4b8450122a82e, 64fdc5f341db01200e33105265d4b8450122a82e, 64fdc5f341db01200e33105265d4b8450122a82e, 2daf967a24334865e51520e55190a646dd480cd7, 6.2.10unaffected
LinuxLinux6.3, 0, 6.3.13, 6.4.4, 6.5affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.