CVE-2023-52581
Description
Important: kernel security, bug fix, and enhancement update
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
Description kernel: netfilter: nf_tables: memory leak when more than 255 elements expired Red Hat statement Exploiting this flaw will require CAP_NET_ADMIN access privilege in any user or network namespace. Also, on non-containerized deployments of Red Hat Enterprise Linux, you can disable user namespaces by setting user.max_user_namespaces to 0: $ echo "user.max_user_namespaces=0" >โฆ
Workaround
as the functionality is needed to be enabled.
Description
kernel: netfilter: nf_tables: memory leak when more than 255 elements expired
Red Hat statement
Exploiting this flaw will require CAP_NET_ADMIN access privilege in any user or network namespace. Also, on non-containerized deployments of Red Hat Enterprise Linux, you can disable user namespaces by setting user.max_user_namespaces to 0: $ echo "user.max_user_namespaces=0" > /etc/sysctl.d/userns.conf $ sysctl -p /etc/sysctl.d/userns.conf On containerized deployments, such as Red Hat OpenShift Container Platform, do not use this mitigation as the functionality is needed to be enabled.
CVSS v3: 7.0 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
Errata / fixed releases
| Product | Package | Advisory | Released |
|---|---|---|---|
| Red Hat Enterprise Linux 8 | kernel-rt-0:4.18.0-553.rt7.342.el8_10 | RHSA-2024:2950 | 2024-05-22T00:00:00Z |
| Red Hat Enterprise Linux 8 | kernel-0:4.18.0-553.el8_10 | RHSA-2024:3138 | 2024-05-22T00:00:00Z |
| Red Hat Enterprise Linux 9 | kernel-0:5.14.0-427.13.1.el9_4 | RHSA-2024:2394 | 2024-04-30T00:00:00Z |
| Red Hat Enterprise Linux 9 | kernel-0:5.14.0-427.13.1.el9_4 | RHSA-2024:2394 | 2024-04-30T00:00:00Z |
Package state
| Product | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 6 | kernel | Not affected |
| Red Hat Enterprise Linux 7 | kernel | Out of support scope |
| Red Hat Enterprise Linux 7 | kernel-rt | Out of support scope |
| Red Hat Enterprise Linux 9 | kernel-rt | Affected |
Apply commands
yum update -y kernel-rt
# or:
dnf upgrade -y kernel-rtAffected
| Vendor | Product | Version |
|---|---|---|
| redhat | Red Hat Enterprise Linux 6 | Not affected |
| redhat | Red Hat Enterprise Linux 9 | Affected |
OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
AlmaLinux Fixed 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | kernel-doc-5.14.0-427.13.1.el9_4.noarch.rpm |
| 8 | Fixed | kernel-abi-stablelists-4.18.0-553.el8_10.noarch.rpm |
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 6.5.6-1 |
| sid | Fixed | 6.5.6-1 |
| forky | Fixed | 6.5.6-1 |
| bullseye | Fixed | 0 |
| bookworm | Fixed | 0 |
Red Hat Fixed 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | โ |
| 8 | Fixed | โ |
Rocky Linux Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 8 | Fixed | โ |
References
- https://access.redhat.com/errata/RHSA-2024:2394
- https://errata.rockylinux.org/RLSA-2024:2950
- https://www.suse.com/security/cve/CVE-2023-52581.html
- https://security-tracker.debian.org/tracker/CVE-2023-52581
- https://access.redhat.com/errata/RHSA-2024:3138
- https://bugzilla.redhat.com/1731000
- https://bugzilla.redhat.com/1746732
- https://bugzilla.redhat.com/1888726
- https://bugzilla.redhat.com/1999589
- https://bugzilla.redhat.com/2039178
- https://bugzilla.redhat.com/2043520
- https://bugzilla.redhat.com/2044578
- https://bugzilla.redhat.com/2150953
- https://bugzilla.redhat.com/2151959
- https://bugzilla.redhat.com/2177759
- https://bugzilla.redhat.com/2179892
- https://bugzilla.redhat.com/2213132
- https://bugzilla.redhat.com/2218332
- https://bugzilla.redhat.com/2219359
- https://bugzilla.redhat.com/2221039
- https://bugzilla.redhat.com/2221463
- https://bugzilla.redhat.com/2221702
- https://bugzilla.redhat.com/2226777
- https://bugzilla.redhat.com/2226784
- https://bugzilla.redhat.com/2226787
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.