QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2023-54114

Back to search

CVE-2023-54114

Published: Dec 24, 2025

Modified: May 11, 2026

PUBLISHED

Description

In the Linux kernel, the following vulnerability has been resolved: net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment() As the call trace shows, skb_panic was caused by wrong skb->mac_header in nsh_gso_segment(): invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 3 PID: 2737 Comm: syz Not tainted 6.3.0-next-20230505 #1 RIP: 0010:skb_panic+0xda/0xe0 call Trace: skb_push+0x91/0xa0 nsh_gso_segment+0x4f3/0x570 skb_mac_gso_segment+0x19e/0x270 __skb_gso_segment+0x1e8/0x3c0 validate_xmit_skb+0x452/0x890 validate_xmit_skb_list+0x99/0xd0 sch_direct_xmit+0x294/0x7c0 __dev_queue_xmit+0x16f0/0x1d70 packet_xmit+0x185/0x210 packet_snd+0xc15/0x1170 packet_sendmsg+0x7b/0xa0 sock_sendmsg+0x14f/0x160 The root cause is: nsh_gso_segment() use skb->network_header - nhoff to reset mac_header in skb_gso_error_unwind() if inner-layer protocol gso fails. However, skb->network_header may be reset by inner-layer protocol gso function e.g. mpls_gso_segment. skb->mac_header reset by the inaccurate network_header will be larger than skb headroom. nsh_gso_segment nhoff = skb->network_header - skb->mac_header; __skb_pull(skb,nsh_len) skb_mac_gso_segment mpls_gso_segment skb_reset_network_header(skb);//skb->network_header+=nsh_len return -EINVAL; skb_gso_error_unwind skb_push(skb, nsh_len); skb->mac_header = skb->network_header - nhoff; // skb->mac_header > skb->headroom, cause skb_push panic Use correct mac_offset to restore mac_header and get rid of nhoff.

VendorProductVersions

Linux

Linux

affected
c411ed854584a71b0e86ac3019b60e4789d88086 - < 2f88c8d38ecf5ed0273f99a067246899ba499eb2
affected
c411ed854584a71b0e86ac3019b60e4789d88086 - < d2309e0cb27b6871b273fbc1725e93be62570d86
affected
c411ed854584a71b0e86ac3019b60e4789d88086 - < 435855b0831b351cb72cb38369ee33122ce9574c
affected
c411ed854584a71b0e86ac3019b60e4789d88086 - < 02b20e0bc0c2628539e9e518dc342787c3332de2
affected
c411ed854584a71b0e86ac3019b60e4789d88086 - < cdd8160dcda1fed2028a5f96575a84afc23aff7d

+3 more versions

Linux

Linux

affected
4.14
unaffected
0 - < 4.14
unaffected
4.14.316 - <= 4.14.*
unaffected
4.19.284 - <= 4.19.*
unaffected
5.4.244 - <= 5.4.*

+5 more versions

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now