CVE-2023-53635
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-07

Last updated on: 2026-02-03

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: conntrack: fix wrong ct->timeout value (struct nf_conn)->timeout is an interval before the conntrack confirmed. After confirmed, it becomes a timestamp. It is observed that timeout of an unconfirmed conntrack: - Set by calling ctnetlink_change_timeout(). As a result, `nfct_time_stamp` was wrongly added to `ct->timeout` twice. - Get by calling ctnetlink_dump_timeout(). As a result, `nfct_time_stamp` was wrongly subtracted. Call Trace: <TASK> dump_stack_lvl ctnetlink_dump_timeout __ctnetlink_glue_build ctnetlink_glue_build __nfqnl_enqueue_packet nf_queue nf_hook_slow ip_mc_output ? __pfx_ip_finish_output ip_send_skb ? __pfx_dst_output udp_send_skb udp_sendmsg ? __pfx_ip_generic_getfrag sock_sendmsg Separate the 2 cases in: - Setting `ct->timeout` in __nf_ct_set_timeout(). - Getting `ct->timeout` in ctnetlink_dump_timeout(). Pablo appends: Update ctnetlink to set up the timeout _after_ the IPS_CONFIRMED flag is set on, otherwise conntrack creation via ctnetlink breaks. Note that the problem described in this patch occurs since the introduction of the nfnetlink_queue conntrack support, select a sufficiently old Fixes: tag for -stable kernel to pick up this fix.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-07
Last Modified
2026-02-03
Generated
2026-06-16
AI Q&A
2025-10-07
EPSS Evaluated
2026-06-15
NVD
CVE-2023-53635
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.3 (inc) to 6.3.2 (inc)
linux kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the Linux kernel's netfilter conntrack subsystem involves incorrect handling of the timeout value for connection tracking entries. Specifically, the timeout value for unconfirmed connections was incorrectly calculated because a timestamp (nfct_time_stamp) was added twice when setting the timeout and subtracted incorrectly when retrieving it. This caused the timeout to be wrong until the connection was confirmed, potentially breaking conntrack creation via ctnetlink. The fix involved updating the code to set the timeout only after the connection is confirmed.

Impact Analysis

This vulnerability can impact systems by causing incorrect timeout values in the connection tracking subsystem, which may lead to failures or unexpected behavior in network connection tracking. This could disrupt network packet filtering, firewall rules, or network address translation that rely on accurate connection tracking, potentially affecting network reliability or security.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2023-53635. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart