CVE-2023-53987

Root

Cause

The vulnerability is a potential NULL pointer dereference in the Linux kernel's ping socket implementation when accessing /proc/net/icmp. After commit dbca1596bbb0 ("ping: convert to RCU lookups, get rid of rwlock"), the code used RCU for ping sockets, but the /proc/net/icmp handler still required spinlock synchronization. This mismatch could lead to a NULL dereference under certain conditions [1].

Exploitation

An attacker would need local access to the system and the ability to read /proc/net/icmp. The race condition occurs when the RCU-protected socket lookup returns a NULL pointer that is not properly checked before use. No special privileges beyond file read access are required to trigger the issue, but the attacker must be able to cause concurrent socket operations and file reads.

Impact

Successful exploitation could cause a kernel NULL pointer dereference, leading to a system crash (denial of service). The vulnerability does not appear to allow privilege escalation or arbitrary code execution based on the available information.

Mitigation

The fix was committed to the Linux kernel stable tree in commit 176cbb6da28f36506cc60a4bec4ab8df0c16713a, which reverts the synchronization method back to using spinlock for the /proc/net/icmp path. Users should apply the latest kernel updates from their distribution to resolve this issue [1].