CVE-2023-6270: Linux Kernel AoE Driver Use-After-Free Vulnerability Disclosed After Two-Year Coordinated Disclosure
The Zero Day Initiative has disclosed CVE-2023-6270, a use-after-free vulnerability in the Linux kernel's ATA over Ethernet (AoE) driver that allows local attackers to escalate privileges to kernel level.
On March 30, 2026, the Zero Day Initiative (ZDI) published advisory ZDI-26-238 detailing a use-after-free vulnerability CVE-2023-6270 in the Linux kernel's ATA over Ethernet (AoE) driver. The flaw, reported to Linux by researcher Lucas Leong of Trend Micro's ZDI on September 29, 2023, has been under coordinated disclosure for over two years before the public advisory was released. Linux has issued a fix, and the advisory includes a link to the Red Hat Bugzilla entry 2256786 for further details.
The vulnerability resides in the AoE driver, a kernel module that implements the ATA over Ethernet protocol, which allows ATA storage commands to be transmitted over Ethernet networks. The specific flaw stems from a lack of proper validation of an object's existence before performing operations on it, leading to a classic use-after-free condition. An attacker who can execute low-privileged code on a target system can trigger the use-after-free condition to corrupt kernel memory and escalate privileges to the kernel level, ultimately achieving arbitrary code execution in ring 0.
The vulnerability carries a CVSS score of 7.8, with the vector AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H. While the attack vector is local and requires low-privileged code execution, the scope change indicates that the compromised component can impact resources beyond its original security boundary. The high complexity component reflects the difficulty of reliably triggering the use-after-free state, but successful exploitation grants full kernel-level access.
The AoE driver is not enabled by default in most mainstream Linux distributions, but it is commonly loaded on systems that use AoE-based storage area networks, particularly in data center and enterprise environments where ATA over Ethernet is deployed as a low-cost SAN alternative. Systems running custom kernels or distributions that include the driver in their default configuration are also at risk. The vulnerability does not appear to have been exploited in the wild prior to disclosure.
Linux has released a patch for CVE-2023-6270, and the fix is included in the mainline kernel. Distribution maintainers are expected to backport the patch to stable and long-term support (LTS) kernel branches. Users are advised to update their kernels to the latest patched version or, if the AoE driver is not required, to blacklist the `aoe` kernel module as a mitigation measure.
The disclosure timeline for CVE-2023-6270 is notable: the vulnerability was reported in September 2023, but the advisory was not published until March 2026, a gap of approximately 2.5 years. This extended period reflects the challenges of coordinated disclosure for kernel vulnerabilities, where patches must be carefully developed, tested, and integrated across dozens of distributions and embedded systems. The case also highlights the ongoing risk posed by less commonly used kernel subsystems, which may receive less scrutiny during code review and fuzzing campaigns.