CVE-2023-3107
Remote denial of service in IPv6 fragment reassembly
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A set of carefully crafted ipv6 packets can trigger an integer overflow in the calculation of a fragment reassembled packet's payload length field. This allows an attacker to trigger a kernel panic, resulting in a denial of service.
Un conjunto de paquetes ipv6 cuidadosamente diseñados puede desencadenar un desbordamiento de enteros en el cálculo del campo de longitud de la carga útil de un paquete reensamblado por fragmentos. Esto permite a un atacante desencadenar un kernel panic, resultando en una denegación de servicio.
Each fragment of an IPv6 packet contains a fragment header which specifies the offset of the fragment relative to the original packet, and each fragment specifies its length in the IPv6 header. When reassembling the packet, the kernel calculates the complete IPv6 payload length. The payload length must fit into a 16-bit field in the IPv6 header. Due to a bug in the kernel, a set of carefully crafted packets can trigger an integer overflow in the calculation of the reassembled packet's payload length field. Once an IPv6 packet has been reassembled, the kernel continues processing its contents. It does so assuming that the fragmentation layer has validated all fields of the constructed IPv6 header. This bug violates such assumptions and can be exploited to trigger a remote kernel panic, resulting in a denial of service.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2023-06-05 CVE Reserved
- 2023-08-01 CVE Published
- 2025-04-15 EPSS Updated
- 2025-07-09 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-190: Integer Overflow or Wraparound
CAPEC
- CAPEC-128: Integer Attacks
References (2)
| URL | Tag | Source |
|---|---|---|
| https://security.netapp.com/advisory/ntap-20230804-0001 | Third Party Advisory |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://security.FreeBSD.org/advisories/FreeBSD-SA-23:06.ipv6.asc | 2023-08-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Freebsd Search vendor "Freebsd" | Freebsd Search vendor "Freebsd" for product "Freebsd" | 12.4 Search vendor "Freebsd" for product "Freebsd" and version "12.4" | - |
Affected
| ||||||
| Freebsd Search vendor "Freebsd" | Freebsd Search vendor "Freebsd" for product "Freebsd" | 12.4 Search vendor "Freebsd" for product "Freebsd" and version "12.4" | p1 |
Affected
| ||||||
| Freebsd Search vendor "Freebsd" | Freebsd Search vendor "Freebsd" for product "Freebsd" | 12.4 Search vendor "Freebsd" for product "Freebsd" and version "12.4" | p2 |
Affected
| ||||||
| Freebsd Search vendor "Freebsd" | Freebsd Search vendor "Freebsd" for product "Freebsd" | 12.4 Search vendor "Freebsd" for product "Freebsd" and version "12.4" | p3 |
Affected
| ||||||
| Freebsd Search vendor "Freebsd" | Freebsd Search vendor "Freebsd" for product "Freebsd" | 12.4 Search vendor "Freebsd" for product "Freebsd" and version "12.4" | rc2-p1 |
Affected
| ||||||
| Freebsd Search vendor "Freebsd" | Freebsd Search vendor "Freebsd" for product "Freebsd" | 12.4 Search vendor "Freebsd" for product "Freebsd" and version "12.4" | rc2-p2 |
Affected
| ||||||
| Freebsd Search vendor "Freebsd" | Freebsd Search vendor "Freebsd" for product "Freebsd" | 13.1 Search vendor "Freebsd" for product "Freebsd" and version "13.1" | - |
Affected
| ||||||
| Freebsd Search vendor "Freebsd" | Freebsd Search vendor "Freebsd" for product "Freebsd" | 13.1 Search vendor "Freebsd" for product "Freebsd" and version "13.1" | b1-p1 |
Affected
| ||||||
| Freebsd Search vendor "Freebsd" | Freebsd Search vendor "Freebsd" for product "Freebsd" | 13.1 Search vendor "Freebsd" for product "Freebsd" and version "13.1" | b2-p2 |
Affected
| ||||||
| Freebsd Search vendor "Freebsd" | Freebsd Search vendor "Freebsd" for product "Freebsd" | 13.1 Search vendor "Freebsd" for product "Freebsd" and version "13.1" | p1 |
Affected
| ||||||
| Freebsd Search vendor "Freebsd" | Freebsd Search vendor "Freebsd" for product "Freebsd" | 13.1 Search vendor "Freebsd" for product "Freebsd" and version "13.1" | p2 |
Affected
| ||||||
| Freebsd Search vendor "Freebsd" | Freebsd Search vendor "Freebsd" for product "Freebsd" | 13.1 Search vendor "Freebsd" for product "Freebsd" and version "13.1" | p3 |
Affected
| ||||||
| Freebsd Search vendor "Freebsd" | Freebsd Search vendor "Freebsd" for product "Freebsd" | 13.1 Search vendor "Freebsd" for product "Freebsd" and version "13.1" | p4 |
Affected
| ||||||
| Freebsd Search vendor "Freebsd" | Freebsd Search vendor "Freebsd" for product "Freebsd" | 13.1 Search vendor "Freebsd" for product "Freebsd" and version "13.1" | p5 |
Affected
| ||||||
| Freebsd Search vendor "Freebsd" | Freebsd Search vendor "Freebsd" for product "Freebsd" | 13.1 Search vendor "Freebsd" for product "Freebsd" and version "13.1" | p6 |
Affected
| ||||||
| Freebsd Search vendor "Freebsd" | Freebsd Search vendor "Freebsd" for product "Freebsd" | 13.1 Search vendor "Freebsd" for product "Freebsd" and version "13.1" | p7 |
Affected
| ||||||
| Freebsd Search vendor "Freebsd" | Freebsd Search vendor "Freebsd" for product "Freebsd" | 13.1 Search vendor "Freebsd" for product "Freebsd" and version "13.1" | p8 |
Affected
| ||||||
| Freebsd Search vendor "Freebsd" | Freebsd Search vendor "Freebsd" for product "Freebsd" | 13.1 Search vendor "Freebsd" for product "Freebsd" and version "13.1" | rc1-p1 |
Affected
| ||||||
| Freebsd Search vendor "Freebsd" | Freebsd Search vendor "Freebsd" for product "Freebsd" | 13.2 Search vendor "Freebsd" for product "Freebsd" and version "13.2" | - |
Affected
| ||||||
| Freebsd Search vendor "Freebsd" | Freebsd Search vendor "Freebsd" for product "Freebsd" | 13.2 Search vendor "Freebsd" for product "Freebsd" and version "13.2" | p1 |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Clustered Data Ontap Search vendor "Netapp" for product "Clustered Data Ontap" | 9.0 Search vendor "Netapp" for product "Clustered Data Ontap" and version "9.0" | - |
Affected
| ||||||