CVE-2023-35001
Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
3Exploited in Wild
-Decision
Descriptions
Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register contents when CAP_NET_ADMIN is in any user or network namespace
Vulnerabilidad de Lectura/Escritura en nftables Fuera de los Límites del kernel de Linux; nft_byteorder administra incorrectamente los contenidos de registro de VM cuando CAP_NET_ADMIN está en cualquier espacio de nombres de usuario o red
An out-of-bounds (OOB) memory access flaw was found in the Netfilter module in the Linux kernel's nft_byteorder_eval in net/netfilter/nft_byteorder.c. A bound check failure allows a local attacker with CAP_NET_ADMIN access to cause a local privilege escalation issue due to incorrect data alignment.
This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the processing of nft chains. The issue results from incorrect pointer scaling, which can result in a memory access past the end of an array. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel.
This update for the Linux Kernel 5.14.21-150400_24_46 fixes several issues. The following security issues were fixed. Fixed a use-after-free in Netfilter nf_tables when processing batch requests. Fixed a flaw in the networking subsystem within the handling of the RPL protocol. Fixed a use-after-free in vcs_read in drivers/tty/vt/vc_screen.c. Fixed an out-of-bounds memory access flaw in nft_byteorder that could allow a local attacker to escalate their privilege. Fixed a type confusion in pick_next_rt_entity, that could cause memory corruption. Fixed an out-of-boundary read in compare_netdev_and_ip in drivers/infiniband/core/cma.c in RDMA. Fixed a heap out-of-bounds write in the ipvlan network driver.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-06-29 CVE Reserved
- 2023-07-05 CVE Published
- 2023-09-01 First Exploit
- 2025-02-13 CVE Updated
- 2025-06-17 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-125: Out-of-bounds Read
- CWE-787: Out-of-bounds Write
CAPEC
References (16)
| URL | Date | SRC |
|---|---|---|
| https://github.com/synacktiv/CVE-2023-35001 | 2023-09-01 | |
| https://github.com/syedhafiz1234/nftables-oob-read-write-exploit-CVE-2023-35001- | 2023-09-04 | |
| https://github.com/mrbrelax/Exploit_CVE-2023-35001 | 2024-01-18 |
| URL | Date | SRC |
|---|---|---|
| https://lists.debian.org/debian-lts-announce/2023/08/msg00001.html | 2024-01-11 | |
| https://lore.kernel.org/netfilter-devel/20230705121515.747251-1-cascardo@canonical.com/T | 2024-01-11 |
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2023-35001 | 2024-03-12 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2220892 | 2024-03-12 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.13 < 4.14.322 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.13 < 4.14.322" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.15 <= 4.19.291 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.15 <= 4.19.291" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.20 < 5.4.251 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.20 < 5.4.251" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.5 < 5.10.188 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.5 < 5.10.188" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.11 < 5.15.121 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.11 < 5.15.121" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.16 < 6.1.39 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.16 < 6.1.39" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.2 < 6.4.4 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.2 < 6.4.4" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 37 Search vendor "Fedoraproject" for product "Fedora" and version "37" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 38 Search vendor "Fedoraproject" for product "Fedora" and version "38" | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | H300s Search vendor "Netapp" for product "H300s" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | H410c Search vendor "Netapp" for product "H410c" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | H410s Search vendor "Netapp" for product "H410s" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | H500s Search vendor "Netapp" for product "H500s" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | H700s Search vendor "Netapp" for product "H700s" | - | - |
Affected
| ||||||