CVE-2023-4623 Overview
CVE-2023-4623 is a use-after-free vulnerability [CWE-416] in the Linux kernel's net/sched: sch_hfsc component, which implements Hierarchical Fair Service Curve (HFSC) queueing discipline traffic control. A local unprivileged user can trigger the flaw to corrupt kernel memory and escalate privileges to root. The bug occurs when an HFSC class with a link-sharing curve has a parent class without one, causing an imbalance between vttree_insert() and vttree_remove() operations. This leaves a dangling pointer in the virtual time tree that attackers can manipulate. The flaw affects multiple Linux kernel versions and downstream distributions including Debian Linux 10.
Critical Impact
Local attackers with the ability to configure network queueing disciplines can achieve full root privilege escalation, compromising the confidentiality, integrity, and availability of the host.
Affected Products
- Linux Kernel (multiple versions prior to the fix commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f)
- Debian Linux 10
- Distributions shipping vulnerable kernels, including Ubuntu (addressed via Kernel Live Patch LSN-0099-1)
Discovery Timeline
- 2023-09-06 - CVE-2023-4623 published to NVD
- 2025-03-20 - Last updated in NVD database
Technical Details for CVE-2023-4623
Vulnerability Analysis
The Hierarchical Fair Service Curve (HFSC) queueing discipline manages classes of network traffic using three curves: real-time (RSC), link-sharing (FSC), and upper-limit (USC). The kernel tracks classes with link-sharing curves in a virtual-time red-black tree (vttree) to schedule fair bandwidth allocation. The vulnerability resides in the inconsistent handling of the HFSC_FSC flag between class initialization and update paths.
When a child class is created with HFSC_FSC set but its parent has no link-sharing curve, init_vf() still inserts the parent into the virtual time tree via vttree_insert(). However, the corresponding update_vf() path checks the parent's HFSC_FSC flag before calling vttree_remove(), skipping the removal. The parent class structure can later be freed while still referenced from the vttree, producing a use-after-free condition on subsequent tree operations.
Root Cause
The root cause is asymmetric flag checking between insertion and removal logic in the HFSC scheduler. init_vf() unconditionally inserts the parent, while update_vf() conditionally removes it based on the parent's curve flag. This breaks the invariant that every insertion has a matching removal, leaving stale pointers in kernel data structures.
Attack Vector
Exploitation requires local access and the CAP_NET_ADMIN capability within a user namespace, which unprivileged users can typically obtain on default Linux configurations. An attacker creates an HFSC qdisc, attaches a parent class without a link-sharing curve, then attaches a child class with HFSC_FSC set. Triggering class destruction causes the freed parent to remain referenced in the virtual time tree. Subsequent allocations can reclaim the freed memory with attacker-controlled content, leading to kernel control-flow hijacking and privilege escalation to root.
The vulnerability mechanism is documented in the upstream commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f. See the Linux Kernel Git Commit and Kernel Dance Commit Details for the fix.
Detection Methods for CVE-2023-4623
Indicators of Compromise
- Unexpected kernel oops or panic messages referencing hfsc_, vttree_, or rb_erase in dmesg or /var/log/kern.log.
- Unprivileged processes invoking tc qdisc add ... hfsc followed by rapid class creation and deletion sequences.
- Creation of unprivileged user namespaces by non-administrative accounts immediately preceding tc activity.
Detection Strategies
- Audit execve events for tc (/sbin/tc or /usr/sbin/tc) invocations from non-root UIDs, especially with the hfsc subcommand.
- Monitor for unshare() or clone() syscalls with CLONE_NEWUSER and CLONE_NEWNET flags followed by network configuration commands.
- Hunt for kernel ring buffer entries containing BUG: KASAN: use-after-free or general protection fault originating from sch_hfsc.ko.
Monitoring Recommendations
- Enable auditd rules for tc execution and netlink socket creation by unprivileged users.
- Forward kernel logs to a centralized SIEM and alert on Oops: or KASAN strings tied to scheduler modules.
- Track loaded kernel modules and flag systems where sch_hfsc is loaded on hosts that do not require HFSC traffic shaping.
How to Mitigate CVE-2023-4623
Immediate Actions Required
- Upgrade the Linux kernel to a version containing commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f or apply the distribution-supplied patched package.
- Apply Debian LTS updates per the Debian LTS Announcement October 2023 and Debian LTS Announcement January 2024.
- Apply Ubuntu Kernel Live Patch LSN-0099-1 where applicable, as described in the Packet Storm Security Notice.
- Restrict creation of unprivileged user namespaces on systems that do not require them.
Patch Information
The upstream fix corrects the asymmetry by ensuring vttree_insert() and vttree_remove() use consistent conditions on the HFSC_FSC flag. The patched commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f is available in the mainline Linux kernel tree. Downstream distributions including Debian and Ubuntu have backported the fix into their supported kernel branches.
Workarounds
- Blacklist the sch_hfsc kernel module on hosts that do not require HFSC traffic shaping to remove the vulnerable code path.
- Set kernel.unprivileged_userns_clone=0 (Debian/Ubuntu) or user.max_user_namespaces=0 to prevent unprivileged users from gaining CAP_NET_ADMIN inside user namespaces.
- Restrict access to the tc binary via filesystem permissions or mandatory access control policies such as AppArmor or SELinux.
# Configuration example: disable HFSC module loading and unprivileged user namespaces
echo 'install sch_hfsc /bin/true' | sudo tee /etc/modprobe.d/disable-hfsc.conf
sudo sysctl -w kernel.unprivileged_userns_clone=0
echo 'kernel.unprivileged_userns_clone=0' | sudo tee -a /etc/sysctl.d/99-hardening.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
