Cyber Resilience

CVE-2023-2156

High

Published: 09 May 2023

Published
09 May 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0213 84.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-2156 is a high-severity Reachable Assertion (CWE-617) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 15.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A flaw exists in the Linux kernel's networking subsystem related to handling of the RPL protocol. The issue stems from insufficient validation of user-supplied data, which triggers an assertion failure classified under CWE-617. This affects the kernel's ability to process certain network inputs safely and carries a CVSS 3.1 score of 7.5 with network attack vector and high availability impact.

An unauthenticated remote attacker can send crafted packets that reach the vulnerable RPL code path, causing the kernel to hit the assertion and crash the system. The result is a denial-of-service condition that requires no privileges or user interaction on the target.

Public references on oss-security mailing lists and the Red Hat Bugzilla entry for this issue provide additional technical discussion and coordination details for downstream distributions.

The EPSS score rose materially from a low baseline to a peak of 0.2963 on 2025-01-22 before receding, indicating that exploitation interest developed after the original disclosure and that the CVE merits renewed attention.

EU & UK References

Vulnerability details

A flaw was found in the networking subsystem of the Linux kernel within the handling of the RPL protocol. This issue results from the lack of proper handling of user-supplied data, which can lead to an assertion failure. This may…

more

allow an unauthenticated remote attacker to create a denial of service condition on the system.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

linux
linux kernel
5.7 — 5.10.184 · 5.11 — 5.15.117 · 5.16 — 6.1.34
redhat
enterprise linux
9.0
fedoraproject
fedora
38
debian
debian linux
10.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References