{ "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2023-54243", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-12-30T12:06:44.510Z", "datePublished": "2025-12-30T12:11:31.180Z", "dateUpdated": "2026-05-23T15:34:37.345Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-23T15:34:37.345Z" }, "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ebtables: fix table blob use-after-free\n\nWe are not allowed to return an error at this point.\nLooking at the code it looks like ret is always 0 at this\npoint, but its not.\n\nt = find_table_lock(net, repl->name, &ret, &ebt_mutex);\n\n... this can return a valid table, with ret != 0.\n\nThis bug causes update of table->private with the new\nblob, but then frees the blob right away in the caller.\n\nSyzbot report:\n\nBUG: KASAN: vmalloc-out-of-bounds in __ebt_unregister_table+0xc00/0xcd0 net/bridge/netfilter/ebtables.c:1168\nRead of size 4 at addr ffffc90005425000 by task kworker/u4:4/74\nWorkqueue: netns cleanup_net\nCall Trace:\n kasan_report+0xbf/0x1f0 mm/kasan/report.c:517\n __ebt_unregister_table+0xc00/0xcd0 net/bridge/netfilter/ebtables.c:1168\n ebt_unregister_table+0x35/0x40 net/bridge/netfilter/ebtables.c:1372\n ops_exit_list+0xb0/0x170 net/core/net_namespace.c:169\n cleanup_net+0x4ee/0xb10 net/core/net_namespace.c:613\n...\n\nip(6)tables appears to be ok (ret should be 0 at this point) but make\nthis more obvious." } ], "affected": [ { "product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "net/bridge/netfilter/ebtables.c", "net/ipv4/netfilter/ip_tables.c", "net/ipv6/netfilter/ip6_tables.c" ], "versions": [ { "version": "c58dd2dd443c26d856a168db108a0cd11c285bf3", "lessThan": "9060abce3305ab2354c892c09d5689df51486df5", "status": "affected", "versionType": "git" }, { "version": "c58dd2dd443c26d856a168db108a0cd11c285bf3", "lessThan": "dbb3cbbf03b3c52cb390fabec357f1e4638004f5", "status": "affected", "versionType": "git" }, { "version": "c58dd2dd443c26d856a168db108a0cd11c285bf3", "lessThan": "3dd6ac973351308d4117eda32298a9f1d68764fd", "status": "affected", "versionType": "git" }, { "version": "c58dd2dd443c26d856a168db108a0cd11c285bf3", "lessThan": "cda0e0243bd3c04008fcd37a46b0269fb3c49249", "status": "affected", "versionType": "git" }, { "version": "c58dd2dd443c26d856a168db108a0cd11c285bf3", "lessThan": "e58a171d35e32e6e8c37cfe0e8a94406732a331f", "status": "affected", "versionType": "git" }, { "version": "a3bc0f8ea439762aa62d40a295157410498cbea7", "status": "affected", "versionType": "git" }, { "version": "8ed40c122919cd79bc3c059e5864e5e7d9d455f0", "status": "affected", "versionType": "git" }, { "version": "c5e4ef499cfc78de45a4f01b8c557b5964d77c53", "status": "affected", "versionType": "git" }, { "version": "f34728610b2a8c7b9864f9404f2884c17f6fca5c", "status": "affected", "versionType": "git" }, { "version": "8b5740915a9faa8b1fa9166193a33e2a9ae30ec6", "status": "affected", "versionType": "git" }, { "version": "3.2.60", "lessThan": "3.3", "status": "affected", "versionType": "semver" }, { "version": "3.4.91", "lessThan": "3.5", "status": "affected", "versionType": "semver" }, { "version": "3.10.41", "lessThan": "3.11", "status": "affected", "versionType": "semver" }, { "version": "3.12.21", "lessThan": "3.13", "status": "affected", "versionType": "semver" }, { "version": "3.14.5", "lessThan": "3.15", "status": "affected", "versionType": "semver" } ] }, { "product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "net/bridge/netfilter/ebtables.c", "net/ipv4/netfilter/ip_tables.c", "net/ipv6/netfilter/ip6_tables.c" ], "versions": [ { "version": "3.15", "status": "affected" }, { "version": "0", "lessThan": "3.15", "status": "unaffected", "versionType": "semver" }, { "version": "5.10.173", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver" }, { "version": "5.15.100", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.1.18", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.2.5", "lessThanOrEqual": "6.2.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.15", "versionEndExcluding": "5.10.173" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.15", "versionEndExcluding": "5.15.100" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.15", "versionEndExcluding": "6.1.18" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.15", "versionEndExcluding": "6.2.5" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.15", "versionEndExcluding": "6.3" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2.60" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.4.91" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.10.41" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.12.21" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14.5" } ] } ] } ], "references": [ { "url": "https://git.kernel.org/stable/c/9060abce3305ab2354c892c09d5689df51486df5" }, { "url": "https://git.kernel.org/stable/c/dbb3cbbf03b3c52cb390fabec357f1e4638004f5" }, { "url": "https://git.kernel.org/stable/c/3dd6ac973351308d4117eda32298a9f1d68764fd" }, { "url": "https://git.kernel.org/stable/c/cda0e0243bd3c04008fcd37a46b0269fb3c49249" }, { "url": "https://git.kernel.org/stable/c/e58a171d35e32e6e8c37cfe0e8a94406732a331f" } ], "title": "netfilter: ebtables: fix table blob use-after-free", "x_generator": { "engine": "bippy-1.2.0" } } } }