CVE-2023-52581

netfilter: nf_tables: fix memleak when more than 255 elements expired

Severity Score

7.0

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: fix memleak when more than 255 elements expired

When more than 255 elements expired we're supposed to switch to a new gc
container structure.

This never happens: u8 type will wrap before reaching the boundary
and nft_trans_gc_space() always returns true.

This means we recycle the initial gc container structure and
lose track of the elements that came before.

While at it, don't deref 'gc' after we've passed it to call_rcu.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: netfilter: nf_tables: corrige memleak cuando caducan más de 255 elementos Cuando caducan más de 255 elementos, se supone que debemos cambiar a una nueva estructura de contenedor gc. Esto nunca sucede: el tipo u8 se ajustará antes de alcanzar el límite y nft_trans_gc_space() siempre devuelve verdadero. Esto significa que reciclamos la estructura inicial del contenedor gc y perdemos la pista de los elementos anteriores. Mientras lo hace, no elimine 'gc' después de que lo hayamos pasado a call_rcu.

A use-after-free flaw was found in the Linux kernel’s nftables sub-component due to a race problem between the set GC and transaction in the Linux Kernel. This flaw allows a local attacker to crash the system. This flaw is similar to the previous CVE-2023-4244 but for a different part of the source code.

*Credits: N/A

CVSS Scores

Red Hatv3.1 7.0

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-03-02 CVE Reserved
2024-03-02 CVE Published
2024-04-05 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-401: Missing Release of Memory after Effective Lifetime

CAPEC

References (11)

URL	Tag	Source
https://git.kernel.org/stable/c/5f68718b34a531a556f2f50300ead2862278da26	Vuln. Introduced
https://git.kernel.org/stable/c/0624f190b5742a1527cd938295caa8dc5281d4cd	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/4aea243b6853d06c1d160a9955b759189aa02b14	2023-10-06
https://git.kernel.org/stable/c/cf5000a7787cbc10341091d37245a42c119d26c5	2023-09-20
https://git.kernel.org/stable/c/7cf055b43756b10aa2b851c927c940f5ed652125	2024-06-16
https://git.kernel.org/stable/c/a995a68e8a3b48533e47c856865d109a1f1a9d01	2023-11-28
https://git.kernel.org/stable/c/09c85f2d21ab6b5acba31a037985b13e8e6565b8	2023-10-10
https://git.kernel.org/stable/c/ef99506eaf1dc31feff1adfcfd68bc5535a22171	2023-10-06
https://git.kernel.org/stable/c/7e5d732e6902eb6a37b35480796838a145ae5f07	2023-10-06

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2023-52581	2024-05-22
https://bugzilla.redhat.com/show_bug.cgi?id=2267761	2024-05-22

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.5 < 6.5.6 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.5 < 6.5.6"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.5 < 6.6 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.5 < 6.6"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				6.4.11 Search vendor "Linux" for product "Linux Kernel" and version "6.4.11"		en		Affected