First published: Mon Aug 28 2023(Updated: )
A use-after-free flaw was found in nftables sub-component due to a race problem between set GC and transaction in the Linux Kernel. This flaw could allow a local attacker to crash the system, due to missing call to to `nft_set_elem_mark_busy` causing double deactivation of the element. This vulnerability could even lead to a kernel information leak problem. Refer: <a href="https://lore.kernel.org/netdev/20230810070830.24064-1-pablo@netfilter.org/">https://lore.kernel.org/netdev/20230810070830.24064-1-pablo@netfilter.org/</a> <a href="https://lore.kernel.org/netdev/20230815223011.7019-1-fw@strlen.de/">https://lore.kernel.org/netdev/20230815223011.7019-1-fw@strlen.de/</a>
Credit: cve-coordination@google.com cve-coordination@google.com cve-coordination@google.com
Affected Software | Affected Version | How to fix |
---|---|---|
Linux Linux kernel | <6.5 | |
Debian Debian Linux | =10.0 | |
redhat/Kernel | <6.5 | 6.5 |
ubuntu/linux | <5.4.0-173.191 | 5.4.0-173.191 |
ubuntu/linux | <5.15.0-87.97 | 5.15.0-87.97 |
ubuntu/linux | <6.2.0-35.35 | 6.2.0-35.35 |
ubuntu/linux | <6.5.0-13.13 | 6.5.0-13.13 |
ubuntu/linux | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-allwinner-5.19 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-aws | <5.4.0-1120.130 | 5.4.0-1120.130 |
ubuntu/linux-aws | <5.15.0-1048.53 | 5.15.0-1048.53 |
ubuntu/linux-aws | <6.2.0-1014.14 | 6.2.0-1014.14 |
ubuntu/linux-aws | <6.5.0-1010.10 | 6.5.0-1010.10 |
ubuntu/linux-aws | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-aws-5.15 | <5.15.0-1048.53~20.04.1 | 5.15.0-1048.53~20.04.1 |
ubuntu/linux-aws-5.15 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-aws-5.4 | <5.4.0-1120.130~18.04.1 | 5.4.0-1120.130~18.04.1 |
ubuntu/linux-aws-5.4 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-aws-6.2 | <6.2.0-1014.14~22.04.1 | 6.2.0-1014.14~22.04.1 |
ubuntu/linux-aws-6.2 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-aws-6.5 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-aws-fips | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-aws-hwe | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-azure | <5.4.0-1126.133 | 5.4.0-1126.133 |
ubuntu/linux-azure | <5.15.0-1050.57 | 5.15.0-1050.57 |
ubuntu/linux-azure | <6.2.0-1015.15 | 6.2.0-1015.15 |
ubuntu/linux-azure | <6.5.0-1009.9 | 6.5.0-1009.9 |
ubuntu/linux-azure | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-azure-4.15 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-azure-5.15 | <5.15.0-1050.57~20.04.1 | 5.15.0-1050.57~20.04.1 |
ubuntu/linux-azure-5.15 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-azure-5.4 | <5.4.0-1126.133~18.04.1 | 5.4.0-1126.133~18.04.1 |
ubuntu/linux-azure-5.4 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-azure-6.2 | <6.2.0-1015.15~22.04.1 | 6.2.0-1015.15~22.04.1 |
ubuntu/linux-azure-6.2 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-azure-6.5 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-azure-fde | <5.15.0-1050.57.1 | 5.15.0-1050.57.1 |
ubuntu/linux-azure-fde | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-azure-fde-5.15 | <5.15.0-1050.57~20.04.1.1 | 5.15.0-1050.57~20.04.1.1 |
ubuntu/linux-azure-fde-5.15 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-azure-fde-5.19 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-azure-fde-6.2 | <6.2.0-1015.15~22.04.1 | 6.2.0-1015.15~22.04.1 |
ubuntu/linux-azure-fde-6.2 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-azure-fips | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-bluefield | <5.4.0-1080.87 | 5.4.0-1080.87 |
ubuntu/linux-bluefield | <5.15.0-1028.30 | 5.15.0-1028.30 |
ubuntu/linux-bluefield | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-fips | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-gcp | <5.4.0-1124.133 | 5.4.0-1124.133 |
ubuntu/linux-gcp | <5.15.0-1045.53 | 5.15.0-1045.53 |
ubuntu/linux-gcp | <6.2.0-1017.19 | 6.2.0-1017.19 |
ubuntu/linux-gcp | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-gcp-4.15 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-gcp-5.15 | <5.15.0-1045.53~20.04.2 | 5.15.0-1045.53~20.04.2 |
ubuntu/linux-gcp-5.15 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-gcp-5.19 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-gcp-5.4 | <5.4.0-1124.133~18.04.1 | 5.4.0-1124.133~18.04.1 |
ubuntu/linux-gcp-5.4 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-gcp-6.2 | <6.2.0-1017.19~22.04.1 | 6.2.0-1017.19~22.04.1 |
ubuntu/linux-gcp-6.5 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-gcp-fips | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-gke | <5.15.0-1045.50 | 5.15.0-1045.50 |
ubuntu/linux-gke | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-gkeop | <5.4.0-1087.91 | 5.4.0-1087.91 |
ubuntu/linux-gkeop | <5.15.0-1031.37 | 5.15.0-1031.37 |
ubuntu/linux-gkeop | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-gkeop-5.15 | <5.15.0-1031.37~20.04.1 | 5.15.0-1031.37~20.04.1 |
ubuntu/linux-gkeop-5.15 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-hwe | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-hwe-5.15 | <5.15.0-87.97~20.04.1 | 5.15.0-87.97~20.04.1 |
ubuntu/linux-hwe-5.15 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-hwe-5.4 | <5.4.0-173.191~18.04.1 | 5.4.0-173.191~18.04.1 |
ubuntu/linux-hwe-5.4 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-hwe-6.2 | <6.2.0-35.35~22.04.1 | 6.2.0-35.35~22.04.1 |
ubuntu/linux-hwe-6.2 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-hwe-6.5 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-ibm | <5.4.0-1067.72 | 5.4.0-1067.72 |
ubuntu/linux-ibm | <5.15.0-1041.44 | 5.15.0-1041.44 |
ubuntu/linux-ibm | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-ibm-5.15 | <5.15.0-1041.44~20.04.1 | 5.15.0-1041.44~20.04.1 |
ubuntu/linux-ibm-5.15 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-ibm-5.4 | <5.4.0-1067.72~18.04.1 | 5.4.0-1067.72~18.04.1 |
ubuntu/linux-ibm-5.4 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-intel | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-intel-iotg | <5.15.0-1043.49 | 5.15.0-1043.49 |
ubuntu/linux-intel-iotg | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-intel-iotg-5.15 | <5.15.0-1043.49~20.04.1 | 5.15.0-1043.49~20.04.1 |
ubuntu/linux-intel-iotg-5.15 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-iot | <5.4.0-1032.33 | 5.4.0-1032.33 |
ubuntu/linux-iot | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-kvm | <5.4.0-1108.115 | 5.4.0-1108.115 |
ubuntu/linux-kvm | <5.15.0-1045.50 | 5.15.0-1045.50 |
ubuntu/linux-kvm | <6.2.0-1015.15 | 6.2.0-1015.15 |
ubuntu/linux-kvm | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-laptop | <6.5.0-1006.9 | 6.5.0-1006.9 |
ubuntu/linux-laptop | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-lowlatency | <5.15.0-87.96 | 5.15.0-87.96 |
ubuntu/linux-lowlatency | <6.2.0-1015.15 | 6.2.0-1015.15 |
ubuntu/linux-lowlatency | <6.5.0-13.13.1 | 6.5.0-13.13.1 |
ubuntu/linux-lowlatency | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-lowlatency-hwe-5.15 | <5.15.0-87.96~20.04.1 | 5.15.0-87.96~20.04.1 |
ubuntu/linux-lowlatency-hwe-5.15 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-lowlatency-hwe-5.19 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-lowlatency-hwe-6.2 | <6.2.0-1015.15~22.04.1 | 6.2.0-1015.15~22.04.1 |
ubuntu/linux-lowlatency-hwe-6.2 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-lowlatency-hwe-6.5 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-lts-xenial | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-nvidia | <5.15.0-1039.39 | 5.15.0-1039.39 |
ubuntu/linux-nvidia | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-nvidia-6.2 | <6.2.0-1011.11 | 6.2.0-1011.11 |
ubuntu/linux-nvidia-6.2 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-nvidia-6.5 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-oem-5.17 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-oem-6.0 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-oem-6.1 | <6.1.0-1025.25 | 6.1.0-1025.25 |
ubuntu/linux-oem-6.1 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-oem-6.5 | <6.5.0-1008.8 | 6.5.0-1008.8 |
ubuntu/linux-oem-6.5 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-oem-6.8 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-oracle | <5.4.0-1119.128 | 5.4.0-1119.128 |
ubuntu/linux-oracle | <5.15.0-1046.52 | 5.15.0-1046.52 |
ubuntu/linux-oracle | <6.2.0-1014.14 | 6.2.0-1014.14 |
ubuntu/linux-oracle | <6.5.0-1012.12 | 6.5.0-1012.12 |
ubuntu/linux-oracle | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-oracle-5.15 | <5.15.0-1046.52~20.04.1 | 5.15.0-1046.52~20.04.1 |
ubuntu/linux-oracle-5.15 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-oracle-5.4 | <5.4.0-1119.128~18.04.1 | 5.4.0-1119.128~18.04.1 |
ubuntu/linux-oracle-5.4 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-oracle-6.5 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-raspi | <5.4.0-1104.116 | 5.4.0-1104.116 |
ubuntu/linux-raspi | <5.15.0-1041.44 | 5.15.0-1041.44 |
ubuntu/linux-raspi | <6.2.0-1015.17 | 6.2.0-1015.17 |
ubuntu/linux-raspi | <6.5.0-1007.9 | 6.5.0-1007.9 |
ubuntu/linux-raspi | <6.7.0-1001.1 | 6.7.0-1001.1 |
ubuntu/linux-raspi | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-raspi-5.4 | <5.4.0-1104.116~18.04.1 | 5.4.0-1104.116~18.04.1 |
ubuntu/linux-raspi-5.4 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-riscv | <6.2.0-35.35.1 | 6.2.0-35.35.1 |
ubuntu/linux-riscv | <6.5.0-13.13.1 | 6.5.0-13.13.1 |
ubuntu/linux-riscv | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-riscv-5.15 | <5.15.0-1044.48~20.04.1 | 5.15.0-1044.48~20.04.1 |
ubuntu/linux-riscv-5.15 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-riscv-6.5 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-starfive | <6.2.0-1007.8 | 6.2.0-1007.8 |
ubuntu/linux-starfive | <6.5.0-1004.5 | 6.5.0-1004.5 |
ubuntu/linux-starfive | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-starfive-6.2 | <6.2.0-1007.8~22.04.1 | 6.2.0-1007.8~22.04.1 |
ubuntu/linux-starfive-6.2 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-starfive-6.5 | <6.6~<6.5.4 | 6.6~ 6.5.4 |
ubuntu/linux-xilinx-zynqmp | <5.4.0-1039.43 | 5.4.0-1039.43 |
ubuntu/linux-xilinx-zynqmp | <5.15.0-1025.29 | 5.15.0-1025.29 |
ubuntu/linux-xilinx-zynqmp | <6.6~<6.5.4 | 6.6~ 6.5.4 |
debian/linux | 5.10.218-1 5.10.221-1 6.1.94-1 6.1.99-1 6.9.10-1 |
If not needed, disable the ability for unprivileged users to create namespaces. To do this temporarily, do: sudo sysctl -w kernel.unprivileged_userns_clone=0 To disable across reboots, do: echo kernel.unprivileged_userns_clone=0 | \ sudo tee /etc/sysctl.d/99-disable-unpriv-userns.conf
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2023-4244 is a use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component.
CVE-2023-4244 can be exploited to achieve local privilege escalation.
CVE-2023-4244 has a severity rating of 7.8 (high).
CVE-2023-4244 affects the Linux kernel version 6.5 and below.
Yes, a fix for CVE-2023-4244 is available. Please refer to the provided references for more information on the fix.