A memory leak problem was found in ctnetlink_create_conntrack in net/netfilter/nf_conntrack_netlink.c in the Linux Kernel. This issue may allow a local attacker with CAP_NET_ADMIN privileges to cause a denial of service (DoS) attack due to a refcount overflow.
Fixes

Solution

No solution given by the vendor.


Workaround

Triggering this issue requires the ability to create user/net namespaces. On non-containerized deployments of Red Hat Enterprise Linux 8, you can disable user namespaces by setting user.max_user_namespaces to 0: # echo "user.max_user_namespaces=0" > /etc/sysctl.d/userns.conf # sysctl -p /etc/sysctl.d/userns.conf On containerized deployments, such as Red Hat OpenShift Container Platform, do not use this mitigation as the functionality is needed to be enabled. Alternatively, skip loading the affected netfilter module (i.e., nf_conntrack_netlink) onto the system until we have a fix available. This can be done by a blacklist mechanism which will ensure the driver is not loaded at boot time. ~~~ How do I blacklist a kernel module to prevent it from loading automatically? https://access.redhat.com/solutions/41278 ~~~

History

Thu, 14 Nov 2024 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2025-09-26T19:19:12.041Z

Reserved: 2023-12-30T18:12:05.167Z

Link: CVE-2023-7192

cve-icon Vulnrichment

Updated: 2024-08-02T08:57:34.101Z

cve-icon NVD

Status : Modified

Published: 2024-01-02T19:15:11.510

Modified: 2024-11-21T08:45:28.853

Link: CVE-2023-7192

cve-icon Redhat

Severity : Moderate

Publid Date: 2023-02-10T00:00:00Z

Links: CVE-2023-7192 - Bugzilla

cve-icon OpenCVE Enrichment

No data.