CVE-2023-42755 Overview
CVE-2023-42755 is an out-of-bounds read vulnerability in the IPv4 Resource Reservation Protocol (RSVP) classifier in the Linux kernel. The flaw resides in the rsvp_classify function, where the xprt pointer can move beyond the linear portion of the socket buffer (skb). A local user with the ability to load or interact with traffic control classifiers can trigger the condition and crash the kernel. The issue is tracked under [CWE-125] (Out-of-bounds Read) and impacts multiple Linux distributions, including Red Hat Enterprise Linux and Debian.
Critical Impact
A local, authenticated user can cause kernel memory corruption that results in a denial of service through a system crash.
Affected Products
- Linux Kernel (upstream)
- Red Hat Enterprise Linux 8
- Debian Linux 10
Discovery Timeline
- 2023-10-05 - CVE-2023-42755 published to NVD
- 2023-10 - Debian LTS advisory issued (see Debian LTS Announcement October 2023)
- 2024-01 - Additional Debian LTS advisory issued (see Debian LTS Announcement January 2024)
- 2024 - Red Hat releases fixes via RHSA-2024:2950 and RHSA-2024:3138
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-42755
Vulnerability Analysis
The vulnerability exists in the Linux kernel's traffic control (tc) subsystem, specifically the RSVP classifier implemented in net/sched/cls_rsvp.h. When processing packets, the rsvp_classify function calculates an offset into the packet to locate transport-layer header information referenced by the xprt pointer. The code fails to verify that the computed pointer remains within the linear region of the skb buffer before dereferencing it.
When an attacker triggers classification against a malformed or specially crafted packet, the kernel reads memory outside the intended buffer bounds. This out-of-bounds read can corrupt kernel state and cause a panic, halting the affected system.
Root Cause
The defect is a missing bounds check on the xprt pointer prior to dereferencing data from the skb linear buffer. The classifier assumes the transport header lies within the contiguous portion of the packet without validating the offset against skb->len or invoking the appropriate header pull helpers.
Attack Vector
Exploitation requires local access with privileges sufficient to configure or interact with traffic control filters. An attacker installs an RSVP classifier and submits crafted traffic that drives rsvp_classify to read beyond the linear skb region. The result is a kernel oops and denial of service. The CVSS vector indicates no confidentiality or integrity impact, only availability loss. Further technical detail is documented in the Red Hat CVE Analysis and OSS-Sec Mailing List Discussion.
Detection Methods for CVE-2023-42755
Indicators of Compromise
- Unexpected kernel oops or panic messages referencing cls_rsvp or rsvp_classify in /var/log/kern.log or dmesg output.
- Unscheduled system reboots on hosts that use traffic control with RSVP classifiers.
- Presence of RSVP tc filters configured by non-administrative users.
Detection Strategies
- Inventory running kernel versions against the fixed builds published in RHSA-2024:2950 and the Debian LTS announcements.
- Audit tc filter show output across hosts to identify use of the RSVP classifier, which is uncommon in modern deployments.
- Monitor for kernel crash dumps captured by kdump and correlate stack traces against the RSVP code path.
Monitoring Recommendations
- Forward kernel logs to a centralized logging or SIEM platform and alert on panic signatures involving net/sched.
- Track local privilege usage of the CAP_NET_ADMIN capability, which is required to install tc classifiers.
- Review changes to network namespace configuration that introduce new classifier rules.
How to Mitigate CVE-2023-42755
Immediate Actions Required
- Apply the vendor-supplied kernel updates from Red Hat, Debian, or your upstream distribution.
- Reboot affected systems after patching to load the corrected kernel image.
- Restrict CAP_NET_ADMIN to trusted administrative accounts to limit who can install traffic control classifiers.
Patch Information
Red Hat addressed the vulnerability in RHSA-2024:2950 and RHSA-2024:3138. Debian published fixes in the Debian LTS Announcement October 2023 and Debian LTS Announcement January 2024. Tracking and analysis details are available in the Red Hat Bug Report #2239847.
Workarounds
- Blacklist the cls_rsvp and cls_rsvp6 kernel modules where the RSVP classifier is not required.
- Remove existing RSVP filters with tc filter del to prevent the vulnerable code path from being reached.
- Restrict creation of network namespaces by unprivileged users via sysctl kernel.unprivileged_userns_clone=0 on distributions where applicable.
# Configuration example
# Prevent the vulnerable RSVP classifier modules from loading
echo 'install cls_rsvp /bin/true' | sudo tee /etc/modprobe.d/disable-rsvp.conf
echo 'install cls_rsvp6 /bin/true' | sudo tee -a /etc/modprobe.d/disable-rsvp.conf
# Unload modules if currently loaded
sudo rmmod cls_rsvp6 2>/dev/null
sudo rmmod cls_rsvp 2>/dev/null
# Verify the modules are not in use
lsmod | grep rsvp
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
