Cyber Resilience

CVE-2023-3338

MediumPublic PoC

Published: 30 June 2023

Published
30 June 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0772 92.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-3338 is a medium-severity NULL Pointer Dereference (CWE-476) vulnerability in Debian Debian Linux. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 7.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

A null pointer dereference vulnerability exists in the Linux kernel's DECnet networking protocol implementation, tracked as CVE-2023-3338. The flaw is classified under CWE-476 and carries a CVSS 3.1 score of 6.5, reflecting network attack vector, low complexity, and low privileges required to trigger a denial-of-service condition that affects system availability while leaving confidentiality and integrity intact.

An authenticated remote attacker can send specially crafted network traffic to a system with DECnet enabled, causing the kernel to dereference a null pointer and crash. This results in a reboot or loss of service without the need for user interaction or elevated privileges on the target.

Red Hat, Debian, and other distributions have published advisories and backported fixes through their respective kernel update channels, as referenced in the listed Red Hat Bugzilla entry and Debian LTS announcements. The EPSS score rose from lower values after the 2023 disclosure to a peak of 0.1123 in December 2025 before receding to the current 0.0772, indicating later-emerging exploitation interest that warrants renewed attention for affected DECnet deployments.

EU & UK References

Vulnerability details

A null pointer dereference flaw was found in the Linux kernel's DECnet networking protocol. This issue could allow a remote user to crash the system.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

linux
linux kernel
≤ 6.5
netapp
active iq unified manager
all versions
debian
debian linux
10.0, 11.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References