CVE-2023-54243

Root

Cause

The vulnerability resides in the ebtables subsystem of the Linux kernel's netfilter framework. In the relevant code path, the function find_table_lock() can return a valid table pointer while also setting the error variable ret to a non-zero value. The caller then proceeds to update table->private with a new blob, but because ret is non-zero, it subsequently frees that blob immediately, leading to a use-after-free condition [1]. The official description notes that the same path in ip(6)tables appears to be safe because ret should always be 0 there, but the ebtables path fails to enforce this invariant [1].

Exploitation

An attacker would need the ability to trigger a specific ebtables table update operation that invokes the flawed error-handling path. The attack does not require physical access but does require the ability to issue netfilter commands (e.g., via ebtables userspace utility or netlink sockets). A Syzkaller-generated report demonstrated the crash, showing that the bug is reachable during network namespace teardown, specifically in the __ebt_unregister_table() function [1].

Impact

A successful exploit could cause a kernel crash (denial of service) due to accessing freed memory. The KASAN report shows a vmalloc-out-of-bounds read of size 4 at the freed address, and the crash occurs in the workqueue context during namespace cleanup [1]. Under controlled conditions, an attacker might be able to leverage the use-after-free to achieve arbitrary code execution, though the description focuses on the memory safety issue and the resulting system instability.

Mitigation

The fix has been committed to the Linux kernel stable tree. Users should apply the patch referenced in the commit [1] (commit 3dd6ac973351) or update to a kernel version that includes the fix. As of the publication date, the vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, and no workarounds are documented beyond applying the kernel patch.