CVE-2023-52999

CVE-2023-52999 is a Use After Free (UaF) vulnerability in the Linux kernel's network namespace (netns) operations registration error path, specifically within the ops_init() function. When net_assign_generic() fails, the existing error handling attempts to clear a generic pointer slot, but since the pointer has not yet been modified, it accesses an index beyond the current valid range, resulting in a slab-out-of-bounds write. This issue was identified through code inspection and verified using a KASAN-enabled kernel with explicit error injection, manifesting as a kernel BUG during module loading, such as with modprobe.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction required (UI:N), as indicated by its CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Exploitation occurs during netns-related operations registration, such as in traffic control (tcf) action registration triggered by module loading. Successful exploitation could grant high-impact confidentiality, integrity, and availability effects, potentially allowing arbitrary kernel memory corruption, code execution, or system crashes.

Mitigation involves applying upstream kernel patches from the provided stable branch commits, such as 12075708f2e77ee6a9f8bb2cf512c38be3099794, 66689a72ba73575e76d4f6a8748d3fa2690ec1c4, 71ab9c3e2253619136c31c89dbb2c69305cc89b1, ad0dfe9bcf0d78e699c7efb64c90ed062dc48bea, and d4c008f3b7f7d4ffd311eb2dae5e75b3cbddacd0. These patches address the flaw by skipping the generic pointer dereference in the affected error path of ops_init(). Security practitioners should update to kernels incorporating these fixes and monitor for KASAN reports in environments with network namespace usage.