CVE-2023-54040

The vulnerability resides in the ice driver for Intel Ethernet controllers in the Linux kernel. When adding a Flow Director (FDIR) filter, the code fails to properly clean up previously inserted entries or context information if subsequent steps fail. Specifically, if ice_vc_fdir_set_irq_ctx returns a failure, the already-inserted FDIR entry is not removed. Similarly, if ice_vc_fdir_write_fltr fails, the interrupt handler context is not cleared. These flaws can lead to memory leaks or an inconsistent driver state because resources allocated for an incomplete filter addition are not released [1].

The attack surfaces require local access to the system or the ability to trigger the affected FDIR filter addition code path, which typically involves privileged actions such as configuring network filters via virtual functions (VFs) or through the PF driver interface. The vulnerability does not require user interaction beyond performing the filter operations, but it does require the ability to invoke the vulnerable kernel functions, generally necessitating root or high-privileged access to the network device driver.

An attacker who can trigger these failure conditions could cause a denial of service by exhausting kernel memory (memory leak) or by leaving the driver in an inconsistent state that prevents proper filtering operation, potentially leading to network disruption or system instability. The CVE itself does not indicate that code execution or privilege escalation is achievable; the impact is primarily availability-related due to resource leaks.

A patch was applied to the Linux kernel stable tree that refines the failure handling in the ice FDIR code. The fix ensures that when any step in the filter addition process fails, all previously allocated resources are cleaned up, preventing leaks and inconsistency. Affected systems should apply the kernel update containing commit 391d28c0e38c to resolve the issue [1].