CVE-2023-3338
Published: 30 June 2023
Summary
CVE-2023-3338 is a medium-severity NULL Pointer Dereference (CWE-476) vulnerability in Debian Debian Linux. Its CVSS base score is 6.5 (Medium).
Operationally, ranked in the top 7.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A null pointer dereference vulnerability exists in the Linux kernel's DECnet networking protocol implementation, tracked as CVE-2023-3338. The flaw is classified under CWE-476 and carries a CVSS 3.1 score of 6.5, reflecting network attack vector, low complexity, and low privileges required to trigger a denial-of-service condition that affects system availability while leaving confidentiality and integrity intact.
An authenticated remote attacker can send specially crafted network traffic to a system with DECnet enabled, causing the kernel to dereference a null pointer and crash. This results in a reboot or loss of service without the need for user interaction or elevated privileges on the target.
Red Hat, Debian, and other distributions have published advisories and backported fixes through their respective kernel update channels, as referenced in the listed Red Hat Bugzilla entry and Debian LTS announcements. The EPSS score rose from lower values after the 2023 disclosure to a peak of 0.1123 in December 2025 before receding to the current 0.0772, indicating later-emerging exploitation interest that warrants renewed attention for affected DECnet deployments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-44006
Vulnerability details
A null pointer dereference flaw was found in the Linux kernel's DECnet networking protocol. This issue could allow a remote user to crash the system.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.