CVE-2023-54200
Unknown Unknown - Not Provided
Use-After-Free in Linux Kernel nf_tables netdev Hooks Causes Memory Corruption

Publication date: 2025-12-30

Last updated on: 2025-12-30

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: always release netdev hooks from notifier This reverts "netfilter: nf_tables: skip netdev events generated on netns removal". The problem is that when a veth device is released, the veth release callback will also queue the peer netns device for removal. Its possible that the peer netns is also slated for removal. In this case, the device memory is already released before the pre_exit hook of the peer netns runs: BUG: KASAN: slab-use-after-free in nf_hook_entry_head+0x1b8/0x1d0 Read of size 8 at addr ffff88812c0124f0 by task kworker/u8:1/45 Workqueue: netns cleanup_net Call Trace: nf_hook_entry_head+0x1b8/0x1d0 __nf_unregister_net_hook+0x76/0x510 nft_netdev_unregister_hooks+0xa0/0x220 __nft_release_hook+0x184/0x490 nf_tables_pre_exit_net+0x12f/0x1b0 .. Order is: 1. First netns is released, veth_dellink() queues peer netns device for removal 2. peer netns is queued for removal 3. peer netns device is released, unreg event is triggered 4. unreg event is ignored because netns is going down 5. pre_exit hook calls nft_netdev_unregister_hooks but device memory might be free'd already.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-30
Last Modified
2025-12-30
Generated
2026-05-06
AI Q&A
2025-12-30
EPSS Evaluated
2026-05-05
NVD
CVE-2023-54200
EUVD
EUVD-2023-60441
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability occurs in the Linux kernel's netfilter nf_tables subsystem. When a virtual Ethernet (veth) device is released, its release callback queues the peer network namespace (netns) device for removal. If the peer netns is also being removed, the device memory may be freed before the pre-exit hook runs, leading to a use-after-free bug. This can cause a kernel memory access error (KASAN slab-use-after-free) during the cleanup process, potentially destabilizing the system.


How can this vulnerability impact me? :

This vulnerability can lead to a use-after-free condition in the Linux kernel, which may cause system instability, crashes, or potential kernel memory corruption. Such issues could affect the reliability and security of systems running vulnerable kernel versions, possibly leading to denial of service or other unpredictable behavior.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart