cbcvebase.
CVE-2023-2163
published 2023-09-20

CVE-2023-2163: Incorrect verifier pruning in BPF in Linux Kernel >=5.4 leads to unsafe code paths being incorrectly marked as safe, resulting in arbitrary read/write in…

PriorityP279high8.8CVSS 3.1
AVLACLPRLUINSCCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
3.55%
87.8th percentile
Incorrect verifier pruning in BPF in Linux Kernel >=5.4 leads to unsafe code paths being incorrectly marked as safe, resulting in arbitrary read/write in kernel memory, lateral privilege escalation, and container escape.

Affected

15 ranges
VendorProductVersion rangeFixed in
debianlinux< linux 6.1.27-1 (bookworm)linux 6.1.27-1 (bookworm)
googlechrome_chrome
linuxlinux_kernel< 71b547f561247897a0a14f3082730156c0533fed71b547f561247897a0a14f3082730156c0533fed
linuxlinux_kernel>= 0 < 5.10.179-15.10.179-1
linuxlinux_kernel>= 0 < 6.1.27-16.1.27-1
linuxlinux_kernel>= 0 < 6.1.27-16.1.27-1
linuxlinux_kernel>= 0 < 6.1.27-16.1.27-1
linuxlinux_kernel>= 0 < 5.4.0-162.1795.4.0-162.179
linuxlinux_kernel>= 0 < 5.15.0-79.865.15.0-79.86
linuxlinux_kernel>= 5.11 < 5.15.1095.15.109
linuxlinux_kernel>= 5.16 < 6.1.266.1.26
linuxlinux_kernel>= 5.3 < 5.4.2425.4.242
linuxlinux_kernel>= 5.5 < 5.10.1795.10.179
linuxlinux_kernel>= 6.2 < 6.2.136.2.13
msrccbl2_kernel_5.15.133.1-1_on_cbl_mariner_2.0

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=71b547f561247897a0a14f3082730156c0533fed
hash71b547f561247897a0a14f3082730156c0533fed
  • Monitor for unprivileged eBPF usage; the vulnerability requires CAP_SYS_ADMIN or root to exploit when kernel.unprivileged_bpf_disabled=1 is set. Audit sysctl value to detect exposure.
  • Check /proc/sys/kernel/unprivileged_bpf_disabled; a value other than 1 indicates unprivileged BPF is enabled and the system is exposed to this vulnerability.
  • Affected Linux kernel versions are >=5.4; flag systems running kernel 5.4 or later without the patch commit 71b547f561247897a0a14f3082730156c0533fed applied.
  • On Debian, systems running kernel versions prior to 6.1.27-1 (bookworm/forky/sid/trixie) or 5.10.179-1 (bullseye) are vulnerable and should be flagged.
  • ·Exploitation requires CAP_SYS_ADMIN or root privileges when kernel.unprivileged_bpf_disabled=1; attack surface is significantly reduced in default RHEL configurations.
  • ·RHEL 9.3 and later are not affected as the required patch was applied before CVE creation; RHEL 6 and 7 are also not affected.
  • ·Scope of exploitation is local; remote exploitation is not indicated by any source.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
osv8.8HIGH
vulncheck10.0CRITICAL
vendor_debian10.0CRITICAL
vendor_redhat10.0CRITICAL
vendor_msrc8.8HIGH
vendor_ubuntu6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.