UBUNTU-CVE-2023-53186

Advisory lineage Upstream: 1 Downstream: 0

Upstream

CVE-2023-53186

Published: 15 Sept 2025, 14:15

Last modified:03 Jun 2026, 13:37

Vulnerability Summary

Overall Risk (default)

low

19/100

CVSS Score

4.7 MEDIUM

3.1 (osv_ubuntu)

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

15 Sept 2025, 14:15

Published

Vulnerability first disclosed

03 Jun 2026, 13:37

Last Modified

Vulnerability information updated

Description

In the Linux kernel, the following vulnerability has been resolved: skbuff: Fix a race between coalescing and releasing SKBs Commit 1effe8ca4e34 ("skbuff: fix coalescing for page_pool fragment recycling") allowed coalescing to proceed with non page pool page and page pool page when @from is cloned, i.e. to->pp_recycle --> false from->pp_recycle --> true skb_cloned(from) --> true However, it actually requires skb_cloned(@from) to hold true until coalescing finishes in this situation. If the other cloned SKB is released while the merging is in process, from_shinfo->nr_frags will be set to 0 toward the end of the function, causing the increment of frag page _refcount to be unexpectedly skipped resulting in inconsistent reference counts. Later when SKB(@to) is released, it frees the page directly even though the page pool page is still in use, leading to use-after-free or double-free errors. So it should be prohibited. The double-free error message below prompted us to investigate: BUG: Bad page state in process swapper/1 pfn:0e0d1 page:00000000c6548b28 refcount:-1 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0xe0d1 flags: 0xfffffc0000000(node=0|zone=1|lastcpupid=0x1fffff) raw: 000fffffc0000000 0000000000000000 ffffffff00000101 0000000000000000 raw: 0000000000000002 0000000000000000 ffffffffffffffff 0000000000000000 page dumped because: nonzero _refcount CPU: 1 PID: 0 Comm: swapper/1 Tainted: G E 6.2.0+ Call Trace: <IRQ> dump_stack_lvl+0x32/0x50 bad_page+0x69/0xf0 free_pcp_prepare+0x260/0x2f0 free_unref_page+0x20/0x1c0 skb_release_data+0x10b/0x1a0 napi_consume_skb+0x56/0x150 net_rx_action+0xf0/0x350 ? __napi_schedule+0x79/0x90 __do_softirq+0xc8/0x2b1 __irq_exit_rcu+0xb9/0xf0 common_interrupt+0x82/0xa0 </IRQ> <TASK> asm_common_interrupt+0x22/0x40 RIP: 0010:default_idle+0xb/0x20

CVSS Metrics

v3.1•MEDIUM•Score: 4.7CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected Systems

ubuntu•linux
< 5.15.0-79.86
ubuntu•linux-allwinner-5.19
all
ubuntu•linux-aws
< 5.15.0-1042.47
ubuntu•linux-aws-5.0
all
ubuntu•linux-aws-5.11
all
ubuntu•linux-aws-5.13
all
ubuntu•linux-aws-5.15
< 5.15.0-1041.46~20.04.1
ubuntu•linux-aws-5.19
all
ubuntu•linux-aws-5.3
all
ubuntu•linux-aws-5.8
all
ubuntu•linux-aws-6.2
all
ubuntu•linux-aws-6.5
all
ubuntu•linux-azure
all | < 5.15.0-1045.52
ubuntu•linux-azure-5.11
all
ubuntu•linux-azure-5.13
all
ubuntu•linux-azure-5.15
< 5.15.0-1045.52~20.04.1
ubuntu•linux-azure-5.19
all
ubuntu•linux-azure-5.3
all
ubuntu•linux-azure-5.8
all
ubuntu•linux-azure-6.11
all
ubuntu•linux-azure-6.2
all
ubuntu•linux-azure-6.5
all
ubuntu•linux-azure-edge
all
ubuntu•linux-azure-fde
all | all
ubuntu•linux-azure-fde-5.19
all
ubuntu•linux-azure-fde-6.2
all
ubuntu•linux-bluefield
< 5.15.0-1022.24 | < 5.15.0-1022.24 | all
ubuntu•linux-fips
all
ubuntu•linux-gcp
all | < 5.15.0-1039.47
ubuntu•linux-gcp-5.11
all
ubuntu•linux-gcp-5.13
all
ubuntu•linux-gcp-5.15
< 5.15.0-1039.47~20.04.1
ubuntu•linux-gcp-5.19
all
ubuntu•linux-gcp-5.3
all
ubuntu•linux-gcp-5.8
all
ubuntu•linux-gcp-6.11
all
ubuntu•linux-gcp-6.2
all
ubuntu•linux-gcp-6.5
all
ubuntu•linux-gke
all | < 5.15.0-1039.44
ubuntu•linux-gke-4.15
all
ubuntu•linux-gke-5.15
all
ubuntu•linux-gke-5.4
all
ubuntu•linux-gkeop
all | < 5.15.0-1025.30
ubuntu•linux-gkeop-5.15
all
ubuntu•linux-gkeop-5.4
all
ubuntu•linux-hwe
all
ubuntu•linux-hwe-5.11
all
ubuntu•linux-hwe-5.13
all
ubuntu•linux-hwe-5.15
< 5.15.0-79.86~20.04.2
ubuntu•linux-hwe-5.19
all

Showing first 50 affected entries in server-rendered view.