Login Sign Up

CVE-2023-3111

7.8 HIGH

📋 TL;DR

A use-after-free vulnerability in the Linux kernel's Btrfs filesystem allows local attackers to potentially crash the system or execute arbitrary code with kernel privileges. This affects Linux systems using Btrfs filesystems where users have access to the relevant ioctl commands. The vulnerability requires local access to trigger.

💻 Affected Systems

Products:
  • Linux Kernel
Versions: Linux kernel versions before 5.15.90, 5.19.17, 6.0.15, and 6.1.1
Operating Systems: Linux distributions using affected kernel versions with Btrfs support
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems with Btrfs filesystems mounted and where users have CAP_SYS_ADMIN or access to the relevant ioctl commands. Many cloud providers and containers use Btrfs.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

H300s Firmware by Netapp

View all CVEs affecting H300s Firmware →

H410c Firmware by Netapp

View all CVEs affecting H410c Firmware →

H410s Firmware by Netapp

View all CVEs affecting H410s Firmware →

H500s Firmware by Netapp

View all CVEs affecting H500s Firmware →

H700s Firmware by Netapp

View all CVEs affecting H700s Firmware →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation to kernel-level code execution, leading to complete system compromise, data corruption, or persistent backdoor installation.

🟠

Likely Case

Kernel panic or system crash causing denial of service, potentially leading to data loss on Btrfs volumes.

🟢

If Mitigated

Limited to denial of service if exploit fails or system has additional hardening, but still risks system instability.

🌐 Internet-Facing: LOW - Requires local access to trigger via ioctl calls, not directly exploitable over network.
🏢 Internal Only: MEDIUM - Local users or compromised accounts with appropriate permissions could exploit this to escalate privileges or cause system crashes.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires calling specific ioctl sequences (btrfs_ioctl_balance before btrfs_ioctl_defrag) with appropriate permissions. No public exploit code has been released as of analysis.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in Linux kernel versions 5.15.90, 5.19.17, 6.0.15, 6.1.1 and later

Vendor Advisory: https://www.debian.org/security/2023/dsa-5480

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version via distribution package manager. 2. For Debian/Ubuntu: apt update && apt upgrade linux-image-*. 3. For RHEL/CentOS: yum update kernel. 4. Reboot system to load new kernel.

🔧 Temporary Workarounds

Restrict ioctl access

linux

Limit access to Btrfs ioctl commands using SELinux/AppArmor or capability restrictions

# Example AppArmor rule: deny /dev/btrfs-control rw,
# Remove CAP_SYS_ADMIN from non-privileged users

Disable Btrfs or use alternative filesystem

linux

Avoid using Btrfs filesystem if not required

# Check Btrfs usage: findmnt -t btrfs
# Consider migrating to ext4 or xfs if possible

🧯 If You Can't Patch

  • Implement strict access controls to prevent non-privileged users from executing Btrfs ioctl commands
  • Monitor for suspicious Btrfs-related system calls and kernel panic events

🔍 How to Verify

Check if Vulnerable:

Check kernel version: uname -r and compare against affected versions. Also verify Btrfs usage: lsmod | grep btrfs and findmnt -t btrfs

Check Version:

uname -r

Verify Fix Applied:

Confirm kernel version is 5.15.90+, 5.19.17+, 6.0.15+, or 6.1.1+ with uname -r. Test that Btrfs operations work normally.

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic messages in /var/log/kern.log or dmesg
  • Multiple btrfs_ioctl_balance and btrfs_ioctl_defrag calls from same process
  • Use-after-free or NULL pointer dereference kernel oops

Network Indicators:

  • Not applicable - local vulnerability

SIEM Query:

source="kernel" AND ("panic" OR "oops" OR "use-after-free") AND "btrfs"

📊 Metadata

CVE ID: CVE-2023-3111
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: June 5, 2023
Last Updated: April 23, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-3111, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)