CVE-2023-1095 — NULL Pointer Dereference in Kernel
Severity
5.5MEDIUMNVD
OSV6.7OSV5.9
EPSS
0.0%
top 96.33%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedFeb 28
Latest updateAug 19
Description
In nf_tables_updtable, if nf_tables_table_enable returns an error, nft_trans_destroy is called to free the transaction object. nft_trans_destroy() calls list_del(), but the transaction was never placed on a list -- the list head is all zeroes, this results in a NULL pointer dereference.
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6
Affected Packages4 packages
Also affects: Enterprise Linux 8.0, 9.0
Patches
🔴Vulnerability Details
6GHSA▶
GHSA-grc4-c844-m2mx: In nf_tables_updtable, if nf_tables_table_enable returns an error, nft_trans_destroy is called to free the transaction object↗2023-03-01
OSV▶
CVE-2023-1095: In nf_tables_updtable, if nf_tables_table_enable returns an error, nft_trans_destroy is called to free the transaction object↗2023-02-28
📋Vendor Advisories
9📄Research Papers
1💬Community
1Bugzilla▶
CVE-2024-27065 kernel: netfilter: nf_tables: do not compare internal table flags on updates↗2024-05-01