cbcvebase.
CVE-2023-31248
published 2023-07-05

CVE-2023-31248: Linux Kernel nftables Use-After-Free Local Privilege Escalation Vulnerability; `nft_chain_lookup_byid()` failed to check whether a chain was active and…

PriorityP278high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
2.16%
79.9th percentile
Linux Kernel nftables Use-After-Free Local Privilege Escalation Vulnerability; `nft_chain_lookup_byid()` failed to check whether a chain was active and CAP_NET_ADMIN is in any user or network namespace

Affected

23 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debianlinux< linux 6.1.38-1 (bookworm)linux 6.1.38-1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
linuxlinux_kernel
linuxlinux_kernel>= 0 < 5.10.179-25.10.179-2
linuxlinux_kernel>= 0 < 6.1.38-16.1.38-1
linuxlinux_kernel>= 0 < 6.4.4-16.4.4-1
linuxlinux_kernel>= 0 < 6.4.4-16.4.4-1
linuxlinux_kernel>= 0 < 5.15.0-78.855.15.0-78.85
linuxlinux_kernel>= 0 < 4.4.0-243.2774.4.0-243.277
linuxlinux_kernel>= 0 < 4.15.0-214.2254.15.0-214.225
linuxlinux_kernel>= 0 < 5.4.0-155.1725.4.0-155.172
linuxlinux_kernel>= 0 < 5.15.0-78.855.15.0-78.85
linuxlinux_kernel>= 5.11 < 5.15.1215.15.121
linuxlinux_kernel>= 5.16 < 6.1.396.1.39
linuxlinux_kernel>= 5.9 < 5.10.1885.10.188
linuxlinux_kernel>= 6.2 < 6.4.46.4.4

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability is triggered via nft_chain_lookup_byid() in net/netfilter/nf_tables_api.c — monitor for use-after-free exploitation patterns targeting this function in the netfilter subsystem
  • Exploitation requires CAP_NET_ADMIN capability in any user or network namespace — alert on processes acquiring CAP_NET_ADMIN within unprivileged user namespaces as a precursor indicator
  • The root cause is a missing active-chain status check in nft_chain_lookup_byid(); detection logic should look for nftables operations referencing inactive/deleted chains by ID
  • ·Blacklisting the kernel netfilter module will mitigate the vulnerability but will disable all nftables/netfilter functionality — assess impact before applying
  • ·Red Hat Enterprise Linux 6, 7, and 8 are confirmed NOT affected; only RHEL 9 required patching — scope detection efforts accordingly
  • ·Debian fixed versions are: bookworm 6.1.38-1, bullseye 5.10.179-2, forky/sid/trixie 6.4.4-1 — systems running older kernels in these suites remain vulnerable

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH
vulncheck7.8HIGH
vendor_debian7.8HIGH
vendor_redhat7.8HIGH
vendor_ubuntu7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.