CVE-2023-54273

Vulnerability

Analysis

CVE-2023-54273 describes a bug in the Linux kernel's xfrm (IPsec) subsystem where the netdev reference tracker is initialized prematurely—before the direction checks—but then released using the wrong *_put() call. This mismatch causes a reference leak, potentially leading to use-after-free conditions when the network device is freed while still referenced by the xfrm state [1].

Exploitation

Prerequisites

Exploitation requires an attacker to have the ability to trigger the specific xfrm code path that performs direction checks. This typically requires local access to the system or the ability to send crafted IPsec packets. No authentication? The vulnerability is a memory corruption bug triggered during normal operation of the xfrm subsystem when processing security associations or policies, and does not require special privileges beyond those needed to establish IPsec connections [1].

Impact

Assessment

If successfully exploited, an attacker could cause a use-after-free condition, leading to a kernel panic (OS) crash or potentially arbitrary code execution with kernel privileges. The reference leak means the network device's reference count remains elevated, preventing its proper cleanup and freeing. When the device is eventually removed, the stale reference in the xfrm state could be accessed, resulting in memory corruption [1].

Mitigation

Status

A fix has been applied to the Linux kernel stable tree via commit 7d16c515059b3746f2d6a24a74c3ba786a68c2a1, which corrects the *_put() call to properly release the dev tracker. Users should update their kernels to include this commit or a subsequent version that contains the fix [1].