CVE-2023-0394 Overview
CVE-2023-0394 is a NULL pointer dereference flaw in the rawv6_push_pending_frames function within net/ipv6/raw.c in the Linux kernel networking subsystem. A local authenticated attacker can trigger this flaw to crash the system, resulting in a denial of service. The vulnerability affects multiple Linux kernel versions, including the 6.2 release candidates. The flaw is tracked as [CWE-476] (NULL Pointer Dereference) and requires local low-privilege access to exploit. Upstream maintainers patched the issue in commit cb3e9864cdbe35ff6378966660edbcbac955fe17.
Critical Impact
A local user with low privileges can trigger a kernel crash by exercising the IPv6 raw socket code path, causing a denial of service on the affected host.
Affected Products
- Linux Kernel (mainline, prior to the upstream fix)
- Linux Kernel 6.2-rc1, 6.2-rc2, 6.2-rc3
- Downstream distributions including Debian (addressed via Debian LTS advisories) and NetApp products (per advisory NTAP-20230302-0005)
Discovery Timeline
- 2023-01-26 - CVE-2023-0394 published to NVD
- 2025-03-31 - Last updated in NVD database
Technical Details for CVE-2023-0394
Vulnerability Analysis
The flaw exists in rawv6_push_pending_frames, a function in the IPv6 raw socket handling code at net/ipv6/raw.c. The function dereferences a pointer that can be NULL under specific conditions when processing pending socket frames. When the dereference occurs, the kernel encounters an invalid memory access and panics, terminating execution and crashing the affected system.
This is a local availability issue. The CVSS vector indicates no impact on confidentiality or integrity, only high availability impact. Exploitation requires the attacker to already have access to the system with the ability to open IPv6 raw sockets, typically requiring CAP_NET_RAW or equivalent privileges in some configurations.
The issue is classified under [CWE-476] NULL Pointer Dereference. Because the crash occurs in kernel context, the result is a full system reboot requirement rather than a single-process failure.
Root Cause
The root cause is missing validation of a pointer before dereference inside rawv6_push_pending_frames. When the code path is reached with an unexpected socket state, the function operates on a NULL pointer, triggering a kernel oops. The upstream commit cb3e9864cdbe35ff6378966660edbcbac955fe17 adds the required check to prevent the dereference.
Attack Vector
An attacker with local access and the ability to create IPv6 raw sockets can craft a sequence of socket operations that drives execution into the vulnerable code path. The vulnerability cannot be triggered remotely without prior local access. The vulnerability does not provide code execution or information disclosure, but it allows a low-privileged user to crash multi-user or shared-tenant hosts.
No public proof-of-concept is listed for CVE-2023-0394, and the issue is not present in the CISA Known Exploited Vulnerabilities catalog. Refer to the upstream kernel commit for the precise code change.
Detection Methods for CVE-2023-0394
Indicators of Compromise
- Unexpected kernel panic or oops messages referencing rawv6_push_pending_frames or net/ipv6/raw.c in dmesg or /var/log/kern.log
- Sudden host reboots correlated with local user activity involving IPv6 raw sockets
- Crash dumps showing a NULL pointer dereference in the IPv6 networking stack
Detection Strategies
- Audit kernel crash logs and vmcore dumps for stack traces pointing to IPv6 raw socket functions
- Monitor auditd events for processes calling socket(AF_INET6, SOCK_RAW, ...) from non-privileged or unexpected accounts
- Correlate host availability loss events with preceding raw socket activity from user-space processes
Monitoring Recommendations
- Forward kernel logs to a centralized logging or SIEM platform for stack-trace pattern matching
- Alert on repeated kernel oops events from the same host within short intervals
- Track which workloads require CAP_NET_RAW and review whether that privilege can be removed
How to Mitigate CVE-2023-0394
Immediate Actions Required
- Inventory Linux hosts running kernel versions prior to the upstream fix, including 6.2-rc1 through 6.2-rc3
- Apply vendor-supplied kernel updates from Debian, NetApp, and other downstream distributions referenced in the advisories
- Restrict CAP_NET_RAW to only the workloads that genuinely require IPv6 raw sockets
Patch Information
The upstream fix is provided in Linux kernel commit cb3e9864cdbe35ff6378966660edbcbac955fe17. Distribution-specific updates are available via the Debian LTS Advisory (March 2023), the Debian LTS Advisory (May 2023), and the NetApp Security Advisory NTAP-20230302-0005. Administrators should install the kernel package version specified by their distribution and reboot.
Workarounds
- Where patching is delayed, drop CAP_NET_RAW from untrusted users and container workloads to limit who can open IPv6 raw sockets
- Disable IPv6 on hosts that do not require it via sysctl net.ipv6.conf.all.disable_ipv6=1 if operationally acceptable
- Use seccomp or LSM policies (AppArmor, SELinux) to restrict raw socket creation by non-essential processes
# Configuration example: restrict raw socket capability and verify kernel version
sudo setcap -r /path/to/untrusted/binary
sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1
uname -r # confirm a patched kernel is running after update and reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
