Login Sign Up

CVE-2023-31248

7.8 HIGH

📋 TL;DR

This CVE-2023-31248 is a use-after-free vulnerability in the Linux kernel's nftables subsystem that allows local attackers to escalate privileges. The flaw occurs when nft_chain_lookup_byid() fails to verify chain activity status and CAP_NET_ADMIN capability checks across user/network namespaces. Any Linux system with nftables enabled and unpatched kernel versions is affected.

💻 Affected Systems

Products:
  • Linux Kernel
Versions: Specific affected versions vary by distribution; generally Linux kernels before fixes in mid-2023
Operating Systems: Linux distributions using affected kernel versions
Default Config Vulnerable: ⚠️ Yes
Notes: Requires nftables to be enabled/loaded; many modern distributions use nftables by default replacing iptables.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local unprivileged user gains full root privileges, compromising the entire system and potentially accessing all data and resources.

🟠

Likely Case

Local user with some access escalates to root, installs persistence mechanisms, accesses sensitive data, and moves laterally.

🟢

If Mitigated

Attackers without local access cannot exploit; systems with strict user controls limit damage even if exploited.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring existing local access, not remotely exploitable.
🏢 Internal Only: HIGH - Any compromised local account (including low-privilege users) can escalate to root on affected systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploit requires local access and knowledge of kernel exploitation; public proof-of-concept exists in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Varies by distribution; check specific vendor advisories for patched kernel versions

Vendor Advisory: Multiple - see references in CVE description for distribution-specific advisories

Restart Required: Yes

Instructions:

1. Check your Linux distribution's security advisory. 2. Update kernel package using package manager (apt/yum/dnf/zypper). 3. Reboot system to load new kernel.

🔧 Temporary Workarounds

Disable nftables module

linux

Unload nftables kernel module to prevent exploitation (may break firewall functionality)

sudo rmmod nf_tables
sudo rmmod nft_chain_nat
sudo rmmod nft_ct
sudo rmmod nft_counter
sudo rmmod nft_limit
sudo rmmod nft_log
sudo rmmod nft_masq
sudo rmmod nft_nat
sudo rmmod nft_redir
sudo rmmod nft_reject
sudo rmmod nft_set_hash
sudo rmmod nft_set_rbtree

Blacklist nftables modules

linux

Prevent nftables modules from loading at boot

echo 'blacklist nf_tables' | sudo tee /etc/modprobe.d/blacklist-nftables.conf
echo 'blacklist nft_chain_nat' | sudo tee -a /etc/modprobe.d/blacklist-nftables.conf
sudo update-initramfs -u

🧯 If You Can't Patch

  • Restrict local user access through strict authentication and least privilege principles
  • Implement kernel module signing and disable module auto-loading where possible

🔍 How to Verify

Check if Vulnerable:

Check kernel version against your distribution's security advisory; also check if nftables is loaded: lsmod | grep nf_tables

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version after update matches patched version from vendor advisory; ensure system rebooted

📡 Detection & Monitoring

Log Indicators:

  • Kernel oops messages related to nftables
  • Unexpected privilege escalation events in audit logs
  • Failed module loading attempts for nftables

Network Indicators:

  • None - this is local exploitation only

SIEM Query:

Example: (event_type="privilege_escalation" OR event_type="kernel_panic") AND process_name CONTAINS "nft"

📊 Metadata

CVE ID: CVE-2023-31248
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: July 5, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-31248, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)