CVE-2023-28753
Published: 18 May 2023
Summary
CVE-2023-28753 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Facebook Netconsd. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 4.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
netconsd prior to version 0.2 contains an integer overflow in the parse_packet function that results in heap memory corruption with attacker-controlled data. The affected component is the netconsd daemon, a network console logging service originally developed by Facebook. The vulnerability is tracked as CWE-787 and carries a CVSS 3.1 score of 9.8 reflecting network attack vector, low complexity, and no required authentication or user interaction.
A remote attacker can send a specially crafted network packet to trigger the overflow, enabling arbitrary heap corruption that may be leveraged for code execution or denial of service. Because the flaw requires no privileges or user interaction, exploitation is possible against any exposed, unpatched instance reachable over the network.
The referenced Facebook security advisory and the GitHub commit 9fc54edf54f7caea1189c2b979337ed37af2c60e indicate that the issue is resolved by updating to netconsd v0.2 or later, which contains the corrective changes to the packet parsing logic. The EPSS score has remained flat at its peak value of 0.1754 with no material post-disclosure increase.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-32391
Vulnerability details
netconsd prior to v0.2 was vulnerable to an integer overflow in its parse_packet function. A malicious individual could leverage this overflow to create heap memory corruption with attacker controlled data.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.