CVE-2023-53585 Affecting libperf package, versions *
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CENTOS9-LIBPERF-13391927
- published7 Oct 2025
- disclosed4 Oct 2025
Introduced: 4 Oct 2025
NewCVE-2023-53585 (opens in a new tab)How to fix?
There is no fixed version for Centos:9 libperf.
NVD Description
Note: Versions mentioned in the description apply only to the upstream libperf package and not the libperf package as distributed by Centos.
See How to fix? for Centos:9 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
bpf: reject unhashed sockets in bpf_sk_assign
The semantics for bpf_sk_assign are as follows:
sk = some_lookup_func()
bpf_sk_assign(skb, sk)
bpf_sk_release(sk)
That is, the sk is not consumed by bpf_sk_assign. The function therefore needs to make sure that sk lives long enough to be consumed from __inet_lookup_skb. The path through the stack for a TCPv4 packet is roughly:
netif_receive_skb_core: takes RCU read lock __netif_receive_skb_core: sch_handle_ingress: tcf_classify: bpf_sk_assign() deliver_ptype_list_skb: deliver_skb: ip_packet_type->func == ip_rcv: ip_rcv_core: ip_rcv_finish_core: dst_input: ip_local_deliver: ip_local_deliver_finish: ip_protocol_deliver_rcu: tcp_v4_rcv: __inet_lookup_skb: skb_steal_sock
The existing helper takes advantage of the fact that everything happens in the same RCU critical section: for sockets with SOCK_RCU_FREE set bpf_sk_assign never takes a reference. skb_steal_sock then checks SOCK_RCU_FREE again and does sock_put if necessary.
This approach assumes that SOCK_RCU_FREE is never set on a sk between bpf_sk_assign and skb_steal_sock, but this invariant is violated by unhashed UDP sockets. A new UDP socket is created in TCP_CLOSE state but without SOCK_RCU_FREE set. That flag is only added in udp_lib_get_port() which happens when a socket is bound.
When bpf_sk_assign was added it wasn't possible to access unhashed UDP sockets from BPF, so this wasn't a problem. This changed in commit 0c48eefae712 ("sock_map: Lift socket state restriction for datagram sockets"), but the helper wasn't adjusted accordingly. The following sequence of events will therefore lead to a refcount leak:
- Add socket(AF_INET, SOCK_DGRAM) to a sockmap.
- Pull socket out of sockmap and bpf_sk_assign it. Since SOCK_RCU_FREE is not set we increment the refcount.
- bind() or connect() the socket, setting SOCK_RCU_FREE.
- skb_steal_sock will now set refcounted = false due to SOCK_RCU_FREE.
- tcp_v4_rcv() skips sock_put().
Fix the problem by rejecting unhashed sockets in bpf_sk_assign(). This matches the behaviour of __inet_lookup_skb which is ultimately the goal of bpf_sk_assign().
References
- https://access.redhat.com/security/cve/CVE-2023-53585
- https://git.kernel.org/stable/c/3d4522f59fb748a54446846522941a4f09da63e9
- https://git.kernel.org/stable/c/67312adc96b5a585970d03b62412847afe2c6b01
- https://git.kernel.org/stable/c/791a12102e5191dcb6ce0b3a99d71b5a2802d12a
- https://git.kernel.org/stable/c/7dcbc0bb0e5cc1823923744befce59ac353135e6
- https://git.kernel.org/stable/c/8aa43cfbb68b25119d2ced14ec717173e2901fa2
- https://git.kernel.org/stable/c/c0ce0fb76610d5fad31f56f2ca8241a2a6717a1b