CVE-2023-53549: 
Linux Kernel vulnerability analysis and mitigation

CVE-2023-53549 is a vulnerability discovered in the Linux kernel's netfilter ipset component, affecting the process of adding/deleting large numbers of elements. The issue was identified and disclosed on October 4, 2025. The vulnerability affects the Linux kernel's netfilter subsystem, specifically the ipset functionality (NVD, RedHat).

The vulnerability stems from the way ipset handles large batch operations when adding or deleting elements. A previous patch (5f7b51bf09ba) attempted to fix soft lockup errors by limiting the maximum elements to process, but this solution proved insufficient as hung tasks could still occur. The issue has been assigned a CVSS v3.1 score of 7.0 with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (RedHat).

The vulnerability can result in soft lockup errors and hung tasks when processing large numbers of elements in ipset operations. This can affect system performance and stability, particularly when adding or deleting large numbers of elements in one step (NVD).

The issue has been resolved by implementing a new approach that relies on the method used at resizing sets. The fix involves saving the state when reaching a smaller internal batch limit, unlocking/locking, and proceeding from the saved state. This allows avoiding long continuous tasks while removing the limit on adding/deleting large numbers of elements in one step. The nfnl mutex is held during the entire operation to prevent parallel ipset commands (NVD).