CVE-2023-6622 Overview
A null pointer dereference vulnerability was discovered in the nft_dynset_init() function within net/netfilter/nft_dynset.c in the nf_tables component of the Linux kernel. This vulnerability allows a local attacker with CAP_NET_ADMIN user privilege to trigger a denial of service condition by causing the kernel to dereference a null pointer during netfilter set expression handling.
Critical Impact
Local attackers with CAP_NET_ADMIN capabilities can crash affected Linux systems, causing service disruption and potential availability issues for critical infrastructure.
Affected Products
- Linux Kernel (versions prior to patch, including 6.7-rc1 through 6.7-rc4)
- Fedora 38 and Fedora 39
- Red Hat Enterprise Linux 8.0 and 9.0
Discovery Timeline
- 2023-12-08 - CVE-2023-6622 published to NVD
- 2025-06-25 - Last updated in NVD database
Technical Details for CVE-2023-6622
Vulnerability Analysis
The vulnerability resides in the nft_dynset_init() function responsible for initializing dynamic sets in the netfilter tables subsystem. The flaw occurs due to insufficient validation when handling dynset and set expressions. Specifically, the code failed to properly verify array bounds before accessing set expression elements, leading to potential null pointer dereference when the dynset expression count exceeds the set expression count.
This vulnerability requires local access to the system with CAP_NET_ADMIN capability, which is typically granted to administrators or privileged containers. While the exploitation requires elevated privileges, the impact is significant as it allows denial of service through kernel panic, affecting system availability.
Root Cause
The root cause is an improper bounds check in the nft_dynset_init() function. When iterating through dynset expressions and comparing them with set expressions, the original code only checked if the expression operations matched but failed to verify that the iteration index (i) was within the bounds of the set's expression array (set->num_exprs). This oversight allowed an out-of-bounds access that could result in dereferencing a null pointer when i >= set->num_exprs.
Attack Vector
To exploit this vulnerability, an attacker must:
- Have local access to the target system
- Possess CAP_NET_ADMIN capability (typically root or container administrator)
- Craft malicious nftables rules with mismatched dynset and set expressions
- Trigger the vulnerable code path in nft_dynset_init()
The attack results in a kernel null pointer dereference, causing a system crash or denial of service condition.
// Security patch for CVE-2023-6622 - bounds checking fix
// Source: https://github.com/torvalds/linux/commit/3701cd390fd731ee7ae8b8006246c8db82c72bea
priv->expr_array[i] = dynset_expr;
priv->num_exprs++;
- if (set->num_exprs &&
- dynset_expr->ops != set->exprs[i]->ops) {
- err = -EOPNOTSUPP;
- goto err_expr_free;
+ if (set->num_exprs) {
+ if (i >= set->num_exprs) {
+ err = -EINVAL;
+ goto err_expr_free;
+ }
+ if (dynset_expr->ops != set->exprs[i]->ops) {
+ err = -EOPNOTSUPP;
+ goto err_expr_free;
+ }
}
i++;
}
Source: GitHub Linux Commit 3701cd3
Detection Methods for CVE-2023-6622
Indicators of Compromise
- Kernel panic messages referencing nft_dynset_init or nft_dynset.c in system logs
- Unexpected system crashes or reboots without hardware failure indicators
- Suspicious nftables rule manipulation attempts from privileged users or containers
- Audit log entries showing unusual CAP_NET_ADMIN activity
Detection Strategies
- Monitor kernel logs (dmesg, /var/log/kern.log) for null pointer dereference errors in netfilter subsystem
- Implement auditd rules to track nftables configuration changes and CAP_NET_ADMIN usage
- Deploy kernel live patching solutions to detect vulnerability exploitation attempts
- Use SentinelOne Singularity Platform for real-time kernel-level threat detection
Monitoring Recommendations
- Enable kernel crash dump analysis (kdump) to capture diagnostic information during exploitation attempts
- Configure system monitoring to alert on unexpected kernel panics or forced reboots
- Monitor container runtime environments for unusual nftables manipulation
- Implement rate limiting on nftables rule changes in multi-tenant environments
How to Mitigate CVE-2023-6622
Immediate Actions Required
- Update Linux kernel to patched versions that include commit 3701cd390fd731ee7ae8b8006246c8db82c72bea
- Apply vendor security updates for Fedora (packages announced via Fedora Package Announce)
- Install Red Hat Enterprise Linux security updates per RHSA-2024:2394, RHSA-2024:2950, or RHSA-2024:3138
- Audit systems to identify users and containers with CAP_NET_ADMIN capability
Patch Information
The vulnerability has been addressed in the upstream Linux kernel through commit 3701cd390fd731ee7ae8b8006246c8db82c72bea. The fix adds proper bounds checking to ensure the dynset expression index does not exceed the set expression count before accessing array elements. Vendors have released the following security advisories:
- Red Hat Security Advisory RHSA-2024:2394
- Red Hat Security Advisory RHSA-2024:2950
- Red Hat Security Advisory RHSA-2024:3138
- Fedora Package Announcement
Workarounds
- Restrict CAP_NET_ADMIN capability to only essential users and services until patching is complete
- Use container security policies to limit nftables access in containerized environments
- Consider disabling nf_tables module (modprobe -r nf_tables) if not required for operations
- Implement mandatory access control (SELinux/AppArmor) policies to restrict netfilter manipulation
# Restrict CAP_NET_ADMIN capability until patches are applied
# List processes with CAP_NET_ADMIN capability
getpcaps $(pgrep -f nft) 2>/dev/null
# Disable nf_tables module if not required (temporary workaround)
modprobe -r nf_tables
echo "blacklist nf_tables" >> /etc/modprobe.d/blacklist-nftables.conf
# Verify current kernel version and check if patched
uname -r
rpm -q kernel --changelog | grep -i "nft_dynset\|CVE-2023-6622"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
