Incorrect Calculation of Buffer Size Affecting libperf package, versions <0:5.14.0-362.8.1.el9_3
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CENTOS9-LIBPERF-13216367
- published3 Oct 2025
- disclosed1 Oct 2025
Introduced: 1 Oct 2025
NewCVE-2023-53477 (opens in a new tab)How to fix?
Upgrade Centos:9 libperf to version 0:5.14.0-362.8.1.el9_3 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream libperf package and not the libperf package as distributed by Centos.
See How to fix? for Centos:9 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
ipv6: Add lwtunnel encap size of all siblings in nexthop calculation
In function rt6_nlmsg_size(), the length of nexthop is calculated by multipling the nexthop length of fib6_info and the number of siblings. However if the fib6_info has no lwtunnel but the siblings have lwtunnels, the nexthop length is less than it should be, and it will trigger a warning in inet6_rt_notify() as follows:
WARNING: CPU: 0 PID: 6082 at net/ipv6/route.c:6180 inet6_rt_notify+0x120/0x130 ...... Call Trace: <TASK> fib6_add_rt2node+0x685/0xa30 fib6_add+0x96/0x1b0 ip6_route_add+0x50/0xd0 inet6_rtm_newroute+0x97/0xa0 rtnetlink_rcv_msg+0x156/0x3d0 netlink_rcv_skb+0x5a/0x110 netlink_unicast+0x246/0x350 netlink_sendmsg+0x250/0x4c0 sock_sendmsg+0x66/0x70 ___sys_sendmsg+0x7c/0xd0 __sys_sendmsg+0x5d/0xb0 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc
This bug can be reproduced by script:
ip -6 addr add 2002::2/64 dev ens2 ip -6 route add 100::/64 via 2002::1 dev ens2 metric 100
for i in 10 20 30 40 50 60 70; do ip link add link ens2 name ipv_$i type ipvlan ip -6 addr add 2002::$i/64 dev ipv_$i ifconfig ipv_$i up done
for i in 10 20 30 40 50 60; do ip -6 route append 100::/64 encap ip6 dst 2002::$i via 2002::1 dev ipv_$i metric 100 done
ip -6 route append 100::/64 via 2002::1 dev ipv_70 metric 100
This patch fixes it by adding nexthop_len of every siblings using rt6_nh_nlmsg_size().
References
- https://access.redhat.com/security/cve/CVE-2023-53477
- https://git.kernel.org/stable/c/4cc59f386991ec9374cb4bc83dbe1c0b5a95033f
- https://git.kernel.org/stable/c/aa75d826c221e8d48607aef33836cf872a159cf1
- https://git.kernel.org/stable/c/aba298b35619213ca787d08d472049627d8cd012
- https://git.kernel.org/stable/c/da26369377f0b671c14692e2d65ceb38131053e1
- https://git.kernel.org/stable/c/dcdddb5f490890d058ea1f194d661219e92fe88d
- https://git.kernel.org/stable/c/e11e4d524eba2d3c8fdf897d7ce3853f7573bae9