Cyber Resilience

CVE-2023-0881

HighPublic PoC

Published: 31 March 2025

Published
31 March 2025
Modified
26 August 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0078 74.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-0881 is a high-severity Improper Input Validation (CWE-20) vulnerability in Canonical Linux-Bluefield. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Direct Network Flood (T1498.001); ranked in the top 25.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2023-0881 is a denial-of-service vulnerability in the linux-bluefield kernel package, where running a DDoS attack on TCP port 22 triggers a kernel crash. The issue stems from an incomplete backport of a commit related to nft_lookup, lacking subsequent fixes that address the problem. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-20 (Improper Input Validation) and CWE-1333 (Inefficient Complicated Loop).

Any unauthenticated attacker with network access can exploit this vulnerability by launching a DDoS attack targeting TCP port 22, causing a complete kernel crash and disrupting system availability without requiring privileges or user interaction.

The Ubuntu Launchpad bug report for linux-bluefield (https://bugs.launchpad.net/ubuntu/+source/linux-bluefield/+bug/2006397) details the resolution, which involves applying the missing commits from the original nft_lookup fixes to the linux-bluefield package, effectively patching the vulnerability.

EU & UK References

Vulnerability details

Running DDoS on tcp port 22 will trigger a kernel crash. This issue is introduced by the backport of a commit regarding nft_lookup without the subsequent fixes that were introduced after this commit. The resolution of this CVE introduces those…

more

commits to the linux-bluefield package.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1498.001 Direct Network Flood Impact
Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target.
Why these techniques?

Vulnerability directly enables direct network flood (DDoS on TCP 22) to trigger kernel crash and system DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34178Same vendor: Canonical
CVE-2025-15480Same vendor: Canonical
CVE-2026-34179Same vendor: Canonical
CVE-2026-5412Same vendor: Canonical
CVE-2026-4370Same vendor: Canonical
CVE-2025-14551Same vendor: Canonical
CVE-2026-49238Same vendor: Canonical
CVE-2025-53513Same vendor: Canonical
CVE-2024-6107Same vendor: Canonical
CVE-2026-34177Same vendor: Canonical

Affected Assets

canonical
linux-bluefield
≤ 5.4.0-1058.64

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the kernel flaw in nft_lookup by applying the missing commits to the linux-bluefield package, eliminating the root cause of the crash.

prevent

Implements denial-of-service protections such as rate limiting or flood mitigation specifically for TCP port 22 traffic to prevent DDoS attacks from triggering the kernel crash.

prevent

Enforces boundary protections like firewalls or ACLs to restrict unauthorized or excessive network access to TCP port 22, reducing the vulnerability's exposure.

References