Cyber Resilience

CVE-2023-52999

High

Published: 27 March 2025

Published
27 March 2025
Modified
01 April 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 4.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-52999 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-11 (Error Handling).

Deeper analysis

CVE-2023-52999 is a Use After Free (UaF) vulnerability in the Linux kernel's network namespace (netns) operations registration error path, specifically within the ops_init() function. When net_assign_generic() fails, the existing error handling attempts to clear a generic pointer slot, but since the pointer has not yet been modified, it accesses an index beyond the current valid range, resulting in a slab-out-of-bounds write. This issue was identified through code inspection and verified using a KASAN-enabled kernel with explicit error injection, manifesting as a kernel BUG during module loading, such as with modprobe.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction required (UI:N), as indicated by its CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Exploitation occurs during netns-related operations registration, such as in traffic control (tcf) action registration triggered by module loading. Successful exploitation could grant high-impact confidentiality, integrity, and availability effects, potentially allowing arbitrary kernel memory corruption, code execution, or system crashes.

Mitigation involves applying upstream kernel patches from the provided stable branch commits, such as 12075708f2e77ee6a9f8bb2cf512c38be3099794, 66689a72ba73575e76d4f6a8748d3fa2690ec1c4, 71ab9c3e2253619136c31c89dbb2c69305cc89b1, ad0dfe9bcf0d78e699c7efb64c90ed062dc48bea, and d4c008f3b7f7d4ffd311eb2dae5e75b3cbddacd0. These patches address the flaw by skipping the generic pointer dereference in the affected error path of ops_init(). Security practitioners should update to kernels incorporating these fixes and monitor for KASAN reports in environments with network namespace usage.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: net: fix UaF in netns ops registration error path If net_assign_generic() fails, the current error path in ops_init() tries to clear the gen pointer slot. Anyway, in such error path,…

more

the gen pointer itself has not been modified yet, and the existing and accessed one is smaller than the accessed index, causing an out-of-bounds error: BUG: KASAN: slab-out-of-bounds in ops_init+0x2de/0x320 Write of size 8 at addr ffff888109124978 by task modprobe/1018 CPU: 2 PID: 1018 Comm: modprobe Not tainted 6.2.0-rc2.mptcp_ae5ac65fbed5+ #1641 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.1-2.fc37 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x6a/0x9f print_address_description.constprop.0+0x86/0x2b5 print_report+0x11b/0x1fb kasan_report+0x87/0xc0 ops_init+0x2de/0x320 register_pernet_operations+0x2e4/0x750 register_pernet_subsys+0x24/0x40 tcf_register_action+0x9f/0x560 do_one_initcall+0xf9/0x570 do_init_module+0x190/0x650 load_module+0x1fa5/0x23c0 __do_sys_finit_module+0x10d/0x1b0 do_syscall_64+0x58/0x80 entry_SYSCALL_64_after_hwframe+0x72/0xdc RIP: 0033:0x7f42518f778d Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d cb 56 2c 00 f7 d8 64 89 01 48 RSP: 002b:00007fff96869688 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 RAX: ffffffffffffffda RBX: 00005568ef7f7c90 RCX: 00007f42518f778d RDX: 0000000000000000 RSI: 00005568ef41d796 RDI: 0000000000000003 RBP: 00005568ef41d796 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000 R13: 00005568ef7f7d30 R14: 0000000000040000 R15: 0000000000000000 </TASK> This change addresses the issue by skipping the gen pointer de-reference in the mentioned error-path. Found by code inspection and verified with explicit error injection on a kasan-enabled kernel.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel UaF vulnerability enabling arbitrary memory corruption and code execution from low-privileged context during module loading, directly facilitating privilege escalation to kernel level.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2023-52974Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2022-49176Same product: Linux Linux Kernel
CVE-2022-49291Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.0.7, 6.2 · 4.19.264 — 4.19.272 · 5.4.223 — 5.4.231 · 5.10.153 — 5.10.166

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates identification, prioritization, and remediation of kernel flaws like the UaF and slab-out-of-bounds write in netns ops registration error path via patching.

prevent

Provides memory protection mechanisms such as kernel address space randomization and guard pages that mitigate exploitation of use-after-free and out-of-bounds vulnerabilities during module loading.

prevent

Enforces effective error handling in kernel operations to prevent out-of-bounds accesses in error paths like ops_init() when net_assign_generic() fails.

References