{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-53549", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-10-04T15:14:15.922Z", "datePublished": "2025-10-04T15:16:56.382Z", "dateUpdated": "2025-10-04T15:16:56.382Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-10-04T15:16:56.382Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ipset: Rework long task execution when adding/deleting entries\n\nWhen adding/deleting large number of elements in one step in ipset, it can\ntake a reasonable amount of time and can result in soft lockup errors. The\npatch 5f7b51bf09ba (\"netfilter: ipset: Limit the maximal range of\nconsecutive elements to add/delete\") tried to fix it by limiting the max\nelements to process at all. However it was not enough, it is still possible\nthat we get hung tasks. Lowering the limit is not reasonable, so the\napproach in this patch is as follows: rely on the method used at resizing\nsets and save the state when we reach a smaller internal batch limit,\nunlock/lock and proceed from the saved state. Thus we can avoid long\ncontinuous tasks and at the same time removed the limit to add/delete large\nnumber of elements in one step.\n\nThe nfnl mutex is held during the whole operation which prevents one to\nissue other ipset commands in parallel."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/linux/netfilter/ipset/ip_set.h", "net/netfilter/ipset/ip_set_core.c", "net/netfilter/ipset/ip_set_hash_ip.c", "net/netfilter/ipset/ip_set_hash_ipmark.c", "net/netfilter/ipset/ip_set_hash_ipport.c", "net/netfilter/ipset/ip_set_hash_ipportip.c", "net/netfilter/ipset/ip_set_hash_ipportnet.c", "net/netfilter/ipset/ip_set_hash_net.c", "net/netfilter/ipset/ip_set_hash_netiface.c", "net/netfilter/ipset/ip_set_hash_netnet.c", "net/netfilter/ipset/ip_set_hash_netport.c"], "versions": [{"version": "e62e62ea912a49f7230620f1bdc20410b943a44c", "lessThan": "ee756980e491c829ba0495bb420b7224a9ee26b2", "status": "affected", "versionType": "git"}, {"version": "5f7b51bf09baca8e4f80cbe879536842bafb5f31", "lessThan": "a1e1521b463968b4eca7163f61fb6cc54d008061", "status": "affected", "versionType": "git"}, {"version": "5f7b51bf09baca8e4f80cbe879536842bafb5f31", "lessThan": "24a828f5a54bdeca0846526860d72b3766c5fe95", "status": "affected", "versionType": "git"}, {"version": "5f7b51bf09baca8e4f80cbe879536842bafb5f31", "lessThan": "8964cc36ba011dc0e1041131fa2e91fb4c2a811b", "status": "affected", "versionType": "git"}, {"version": "5f7b51bf09baca8e4f80cbe879536842bafb5f31", "lessThan": "5e29dc36bd5e2166b834ceb19990d9e68a734d7d", "status": "affected", "versionType": "git"}, {"version": "e0f824abe0f412f769fb5468b36c2471430bd885", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/linux/netfilter/ipset/ip_set.h", "net/netfilter/ipset/ip_set_core.c", "net/netfilter/ipset/ip_set_hash_ip.c", "net/netfilter/ipset/ip_set_hash_ipmark.c", "net/netfilter/ipset/ip_set_hash_ipport.c", "net/netfilter/ipset/ip_set_hash_ipportip.c", "net/netfilter/ipset/ip_set_hash_ipportnet.c", "net/netfilter/ipset/ip_set_hash_net.c", "net/netfilter/ipset/ip_set_hash_netiface.c", "net/netfilter/ipset/ip_set_hash_netnet.c", "net/netfilter/ipset/ip_set_hash_netport.c"], "versions": [{"version": "5.14", "status": "affected"}, {"version": "0", "lessThan": "5.14", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.163", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.87", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.0.19", "lessThanOrEqual": "6.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.5", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.2", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10.157", "versionEndExcluding": "5.10.163"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "5.15.87"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "6.0.19"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "6.1.5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "6.2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13.14"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/ee756980e491c829ba0495bb420b7224a9ee26b2"}, {"url": "https://git.kernel.org/stable/c/a1e1521b463968b4eca7163f61fb6cc54d008061"}, {"url": "https://git.kernel.org/stable/c/24a828f5a54bdeca0846526860d72b3766c5fe95"}, {"url": "https://git.kernel.org/stable/c/8964cc36ba011dc0e1041131fa2e91fb4c2a811b"}, {"url": "https://git.kernel.org/stable/c/5e29dc36bd5e2166b834ceb19990d9e68a734d7d"}], "title": "netfilter: ipset: Rework long task execution when adding/deleting entries", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ipset: Rework long task execution when adding/deleting entries\n\nWhen adding/deleting large number of elements in one step in ipset, it can\ntake a reasonable amount of time and can result in soft lockup errors. The\npatch 5f7b51bf09ba (\"netfilter: ipset: Limit the maximal range of\nconsecutive elements to add/delete\") tried to fix it by limiting the max\nelements to process at all. However it was not enough, it is still possible\nthat we get hung tasks. Lowering the limit is not reasonable, so the\napproach in this patch is as follows: rely on the method used at resizing\nsets and save the state when we reach a smaller internal batch limit,\nunlock/lock and proceed from the saved state. Thus we can avoid long\ncontinuous tasks and at the same time removed the limit to add/delete large\nnumber of elements in one step.\n\nThe nfnl mutex is held during the whole operation which prevents one to\nissue other ipset commands in parallel."}], "id": "CVE-2023-53549", "lastModified": "2025-10-06T14:56:21.733", "metrics": {}, "published": "2025-10-04T16:15:50.143", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/24a828f5a54bdeca0846526860d72b3766c5fe95"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5e29dc36bd5e2166b834ceb19990d9e68a734d7d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8964cc36ba011dc0e1041131fa2e91fb4c2a811b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a1e1521b463968b4eca7163f61fb6cc54d008061"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ee756980e491c829ba0495bb420b7224a9ee26b2"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: netfilter: ipset: Rework long task execution when adding/deleting entries", "id": "2401491", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2401491"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nnetfilter: ipset: Rework long task execution when adding/deleting entries\nWhen adding/deleting large number of elements in one step in ipset, it can\ntake a reasonable amount of time and can result in soft lockup errors. The\npatch 5f7b51bf09ba (\"netfilter: ipset: Limit the maximal range of\nconsecutive elements to add/delete\") tried to fix it by limiting the max\nelements to process at all. However it was not enough, it is still possible\nthat we get hung tasks. Lowering the limit is not reasonable, so the\napproach in this patch is as follows: rely on the method used at resizing\nsets and save the state when we reach a smaller internal batch limit,\nunlock/lock and proceed from the saved state. Thus we can avoid long\ncontinuous tasks and at the same time removed the limit to add/delete large\nnumber of elements in one step.\nThe nfnl mutex is held during the whole operation which prevents one to\nissue other ipset commands in parallel."], "name": "CVE-2023-53549", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:rhivos:1", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat In-Vehicle Operating System 1"}], "public_date": "2025-10-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-53549\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53549\nhttps://lore.kernel.org/linux-cve-announce/2025100446-CVE-2023-53549-9c74@gregkh/T"], "threat_severity": "Moderate"}