CVE-2023-54200
Description
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: always release netdev hooks from notifier
This reverts "netfilter: nf_tables: skip netdev events generated on netns removal".
The problem is that when a veth device is released, the veth release callback will also queue the peer netns device for removal.
Its possible that the peer netns is also slated for removal. In this case, the device memory is already released before the pre_exit hook of the peer netns runs:
BUG: KASAN: slab-use-after-free in nf_hook_entry_head+0x1b8/0x1d0 Read of size 8 at addr ffff88812c0124f0 by task kworker/u8:1/45 Workqueue: netns cleanup_net Call Trace: nf_hook_entry_head+0x1b8/0x1d0 __nf_unregister_net_hook+0x76/0x510 nft_netdev_unregister_hooks+0xa0/0x220 __nft_release_hook+0x184/0x490 nf_tables_pre_exit_net+0x12f/0x1b0 ..
Order is: 1. First netns is released, veth_dellink() queues peer netns device for removal 2. peer netns is queued for removal 3. peer netns device is released, unreg event is triggered 4. unreg event is ignored because netns is going down 5. pre_exit hook calls nft_netdev_unregister_hooks but device memory might be free'd already.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Use-after-free in Linux kernel netfilter nf_tables when releasing netdev hooks during network namespace removal.
Vulnerability
A use-after-free vulnerability exists in the Linux kernel's netfilter subsystem, specifically in nf_tables. The bug arises when netdev events are skipped during network namespace (netns) removal due to a previous commit that was later reverted. This leads to a situation where device memory is freed before the netfilter hooks are properly unregistered, resulting in a slab-use-after-free condition [1][2].
Exploitation
An attacker capable of creating and destroying network namespaces, and managing veth devices (typically requiring root privileges or container-level access), can trigger the vulnerability. The sequence involves a veth device being released, which queues the peer netns device for removal. When the peer netns is also scheduled for removal, the device memory may be released before the pre_exit hook runs, causing a use-after-free when nf_hook_entry_head is accessed [1].
Impact
A successful exploit can cause a kernel crash (as evidenced by the KASAN report) and may potentially lead to privilege escalation or other memory corruption scenarios. The vulnerability is considered serious due to the use-after-free nature, which can be leveraged for arbitrary code execution [1][2].
Mitigation
The fix reverts the problematic commit that skipped netdev events on netns removal. Patches are available in the stable kernel tree (commit IDs dc1c9fd4a8bbe and 30e4b13b1bfbd). Users should update to the latest stable kernel versions that include this fix [1][2].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
48d56f00c61f630e4b13b1bfb94032527efbadc1c9fd4a8bbVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.