{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2023-54243", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-12-30T12:06:44.510Z", "datePublished": "2025-12-30T12:11:31.180Z", "dateUpdated": "2025-12-30T12:11:31.180Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-12-30T12:11:31.180Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ebtables: fix table blob use-after-free\n\nWe are not allowed to return an error at this point.\nLooking at the code it looks like ret is always 0 at this\npoint, but its not.\n\nt = find_table_lock(net, repl->name, &ret, &ebt_mutex);\n\n... this can return a valid table, with ret != 0.\n\nThis bug causes update of table->private with the new\nblob, but then frees the blob right away in the caller.\n\nSyzbot report:\n\nBUG: KASAN: vmalloc-out-of-bounds in __ebt_unregister_table+0xc00/0xcd0 net/bridge/netfilter/ebtables.c:1168\nRead of size 4 at addr ffffc90005425000 by task kworker/u4:4/74\nWorkqueue: netns cleanup_net\nCall Trace:\n kasan_report+0xbf/0x1f0 mm/kasan/report.c:517\n __ebt_unregister_table+0xc00/0xcd0 net/bridge/netfilter/ebtables.c:1168\n ebt_unregister_table+0x35/0x40 net/bridge/netfilter/ebtables.c:1372\n ops_exit_list+0xb0/0x170 net/core/net_namespace.c:169\n cleanup_net+0x4ee/0xb10 net/core/net_namespace.c:613\n...\n\nip(6)tables appears to be ok (ret should be 0 at this point) but make\nthis more obvious."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bridge/netfilter/ebtables.c", "net/ipv4/netfilter/ip_tables.c", "net/ipv6/netfilter/ip6_tables.c"], "versions": [{"version": "c58dd2dd443c26d856a168db108a0cd11c285bf3", "lessThan": "9060abce3305ab2354c892c09d5689df51486df5", "status": "affected", "versionType": "git"}, {"version": "c58dd2dd443c26d856a168db108a0cd11c285bf3", "lessThan": "dbb3cbbf03b3c52cb390fabec357f1e4638004f5", "status": "affected", "versionType": "git"}, {"version": "c58dd2dd443c26d856a168db108a0cd11c285bf3", "lessThan": "3dd6ac973351308d4117eda32298a9f1d68764fd", "status": "affected", "versionType": "git"}, {"version": "c58dd2dd443c26d856a168db108a0cd11c285bf3", "lessThan": "cda0e0243bd3c04008fcd37a46b0269fb3c49249", "status": "affected", "versionType": "git"}, {"version": "c58dd2dd443c26d856a168db108a0cd11c285bf3", "lessThan": "e58a171d35e32e6e8c37cfe0e8a94406732a331f", "status": "affected", "versionType": "git"}, {"version": "a3bc0f8ea439762aa62d40a295157410498cbea7", "status": "affected", "versionType": "git"}, {"version": "8ed40c122919cd79bc3c059e5864e5e7d9d455f0", "status": "affected", "versionType": "git"}, {"version": "c5e4ef499cfc78de45a4f01b8c557b5964d77c53", "status": "affected", "versionType": "git"}, {"version": "f34728610b2a8c7b9864f9404f2884c17f6fca5c", "status": "affected", "versionType": "git"}, {"version": "8b5740915a9faa8b1fa9166193a33e2a9ae30ec6", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bridge/netfilter/ebtables.c", "net/ipv4/netfilter/ip_tables.c", "net/ipv6/netfilter/ip6_tables.c"], "versions": [{"version": "3.15", "status": "affected"}, {"version": "0", "lessThan": "3.15", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.173", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.100", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.18", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.2.5", "lessThanOrEqual": "6.2.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.15", "versionEndExcluding": "5.10.173"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.15", "versionEndExcluding": "5.15.100"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.15", "versionEndExcluding": "6.1.18"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.15", "versionEndExcluding": "6.2.5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.15", "versionEndExcluding": "6.3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2.60"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.4.91"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.10.41"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.12.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14.5"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/9060abce3305ab2354c892c09d5689df51486df5"}, {"url": "https://git.kernel.org/stable/c/dbb3cbbf03b3c52cb390fabec357f1e4638004f5"}, {"url": "https://git.kernel.org/stable/c/3dd6ac973351308d4117eda32298a9f1d68764fd"}, {"url": "https://git.kernel.org/stable/c/cda0e0243bd3c04008fcd37a46b0269fb3c49249"}, {"url": "https://git.kernel.org/stable/c/e58a171d35e32e6e8c37cfe0e8a94406732a331f"}], "title": "netfilter: ebtables: fix table blob use-after-free", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ebtables: fix table blob use-after-free\n\nWe are not allowed to return an error at this point.\nLooking at the code it looks like ret is always 0 at this\npoint, but its not.\n\nt = find_table_lock(net, repl->name, &ret, &ebt_mutex);\n\n... this can return a valid table, with ret != 0.\n\nThis bug causes update of table->private with the new\nblob, but then frees the blob right away in the caller.\n\nSyzbot report:\n\nBUG: KASAN: vmalloc-out-of-bounds in __ebt_unregister_table+0xc00/0xcd0 net/bridge/netfilter/ebtables.c:1168\nRead of size 4 at addr ffffc90005425000 by task kworker/u4:4/74\nWorkqueue: netns cleanup_net\nCall Trace:\n kasan_report+0xbf/0x1f0 mm/kasan/report.c:517\n __ebt_unregister_table+0xc00/0xcd0 net/bridge/netfilter/ebtables.c:1168\n ebt_unregister_table+0x35/0x40 net/bridge/netfilter/ebtables.c:1372\n ops_exit_list+0xb0/0x170 net/core/net_namespace.c:169\n cleanup_net+0x4ee/0xb10 net/core/net_namespace.c:613\n...\n\nip(6)tables appears to be ok (ret should be 0 at this point) but make\nthis more obvious."}], "id": "CVE-2023-54243", "lastModified": "2025-12-30T13:16:12.880", "metrics": {}, "published": "2025-12-30T13:16:12.880", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3dd6ac973351308d4117eda32298a9f1d68764fd"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9060abce3305ab2354c892c09d5689df51486df5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/cda0e0243bd3c04008fcd37a46b0269fb3c49249"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/dbb3cbbf03b3c52cb390fabec357f1e4638004f5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e58a171d35e32e6e8c37cfe0e8a94406732a331f"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{}