CVE-2023-53200
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-15

Last updated on: 2025-12-04

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: x_tables: fix percpu counter block leak on error path when creating new netns Here is the stack where we allocate percpu counter block: +-< __alloc_percpu +-< xt_percpu_counter_alloc +-< find_check_entry # {arp,ip,ip6}_tables.c +-< translate_table And it can be leaked on this code path: +-> ip6t_register_table +-> translate_table # allocates percpu counter block +-> xt_register_table # fails there is no freeing of the counter block on xt_register_table fail. Note: xt_percpu_counter_free should be called to free it like we do in do_replace through cleanup_entry helper (or in __ip6t_unregister_table). Probability of hitting this error path is low AFAICS (xt_register_table can only return ENOMEM here, as it is not replacing anything, as we are creating new netns, and it is hard to imagine that all previous allocations succeeded and after that one in xt_register_table failed). But it's worth fixing even the rare leak.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-15
Last Modified
2025-12-04
Generated
2026-06-16
AI Q&A
2025-09-15
EPSS Evaluated
2026-06-15
NVD
CVE-2023-53200
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 4.2 (inc) to 5.15.100 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.18 (exc)
linux linux_kernel From 6.2 (inc) to 6.2.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-401 The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

The impact of this vulnerability is a rare memory leak in the Linux kernel when creating new network namespaces. While the likelihood of this leak occurring is low, if it does happen, it could lead to unnecessary memory consumption over time, potentially affecting system stability or performance in environments that frequently create and destroy network namespaces.

Executive Summary

This vulnerability is a memory leak in the Linux kernel's netfilter subsystem related to the allocation of percpu counter blocks when creating new network namespaces (netns). Specifically, if the function xt_register_table fails during the creation of a new netns, the allocated percpu counter block is not freed, causing a leak. Although the probability of this error path occurring is low, the fix ensures proper cleanup to prevent even rare leaks.

Mitigation Strategies

Apply the Linux kernel update that includes the fix for the percpu counter block leak in netfilter's x_tables when creating new network namespaces. Since the probability of hitting the error path is low, ensuring your system is updated to the fixed kernel version is the recommended mitigation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2023-53200. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart