CVE-2023-35001
Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
3Exploited in Wild
-Decision
Descriptions
Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register contents when CAP_NET_ADMIN is in any user or network namespace
Vulnerabilidad de Lectura/Escritura en nftables Fuera de los Límites del kernel de Linux; nft_byteorder administra incorrectamente los contenidos de registro de VM cuando CAP_NET_ADMIN está en cualquier espacio de nombres de usuario o red
An out-of-bounds (OOB) memory access flaw was found in the Netfilter module in the Linux kernel's nft_byteorder_eval in net/netfilter/nft_byteorder.c. A bound check failure allows a local attacker with CAP_NET_ADMIN access to cause a local privilege escalation issue due to incorrect data alignment.
This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the processing of nft chains. The issue results from incorrect pointer scaling, which can result in a memory access past the end of an array. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel.
It was discovered that the Broadcom FullMAC USB WiFi driver in the Linux kernel did not properly perform data buffer size validation in some situations. A physically proximate attacker could use this to craft a malicious USB device that when inserted, could cause a denial of service (system crash) or possibly expose sensitive information. Reima Ishii discovered that the nested KVM implementation for Intel x86 processors in the Linux kernel did not properly validate control registers in certain situations. An attacker in a guest VM could use this to cause a denial of service (guest crash). Various other issues were also addressed.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-06-29 CVE Reserved
- 2023-07-05 CVE Published
- 2023-09-01 First Exploit
- 2025-02-13 CVE Updated
- 2025-03-18 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-125: Out-of-bounds Read
- CWE-787: Out-of-bounds Write
CAPEC
References (16)
| URL | Date | SRC |
|---|---|---|
| https://github.com/synacktiv/CVE-2023-35001 | 2023-09-01 | |
| https://github.com/syedhafiz1234/nftables-oob-read-write-exploit-CVE-2023-35001- | 2023-09-04 | |
| https://github.com/mrbrelax/Exploit_CVE-2023-35001 | 2024-01-18 |
| URL | Date | SRC |
|---|---|---|
| https://lists.debian.org/debian-lts-announce/2023/08/msg00001.html | 2024-01-11 | |
| https://lore.kernel.org/netfilter-devel/20230705121515.747251-1-cascardo@canonical.com/T | 2024-01-11 |
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2023-35001 | 2024-03-12 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2220892 | 2024-03-12 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.13 < 4.14.322 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.13 < 4.14.322" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.15 <= 4.19.291 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.15 <= 4.19.291" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.20 < 5.4.251 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.20 < 5.4.251" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.5 < 5.10.188 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.5 < 5.10.188" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.11 < 5.15.121 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.11 < 5.15.121" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.16 < 6.1.39 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.16 < 6.1.39" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.2 < 6.4.4 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.2 < 6.4.4" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 37 Search vendor "Fedoraproject" for product "Fedora" and version "37" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 38 Search vendor "Fedoraproject" for product "Fedora" and version "38" | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | H300s Search vendor "Netapp" for product "H300s" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | H410c Search vendor "Netapp" for product "H410c" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | H410s Search vendor "Netapp" for product "H410s" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | H500s Search vendor "Netapp" for product "H500s" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | H700s Search vendor "Netapp" for product "H700s" | - | - |
Affected
| ||||||