CVE-2023-35788

Q: What is the severity of CVE-2023-35788?

CVE-2023-35788 has a CVSS score of 7.8 (HIGH). This vulnerability allows attackers to perform out-of-bounds writes in the Linux kernel's flower classifier code via specially crafted GENEVE packets. It affects Linux systems running kernel versions before 6.3.7 and can lead to denial of service or potential privilege escalation. Systems using the flower classifier for traffic control are particularly vulnerable.

7.8 HIGH

Denial of Service

📋 TL;DR

This vulnerability allows attackers to perform out-of-bounds writes in the Linux kernel's flower classifier code via specially crafted GENEVE packets. It affects Linux systems running kernel versions before 6.3.7 and can lead to denial of service or potential privilege escalation. Systems using the flower classifier for traffic control are particularly vulnerable.

💻 Affected Systems

Products:

Linux kernel

Versions: All versions before 6.3.7

Operating Systems: Linux distributions using vulnerable kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Systems must have the flower classifier module loaded (cls_flower) and be processing GENEVE packets to be exploitable.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

Learn more about Linux Kernel →

Linux Kernel by Linux

Learn more about Linux Kernel →

Linux Kernel by Linux

Learn more about Linux Kernel →

Linux Kernel by Linux

Learn more about Linux Kernel →

Linux Kernel by Linux

Learn more about Linux Kernel →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through kernel privilege escalation leading to root access and complete system control.

🟠

Likely Case

Kernel panic or system crash causing denial of service, requiring system reboot.

🟢

If Mitigated

Limited impact if proper network segmentation and egress filtering prevent malicious packets from reaching vulnerable systems.

🌐 Internet-Facing: MEDIUM - Requires sending specially crafted packets to vulnerable systems, but many internet-facing systems filter such traffic.

🏢 Internal Only: HIGH - Internal systems often have fewer network controls, making exploitation easier within trusted networks.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires network access to send crafted packets. Proof-of-concept code has been published in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Linux kernel 6.3.7 and later

Vendor Advisory: https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.3.7

Restart Required: Yes

Instructions:

1. Update kernel to version 6.3.7 or later. 2. For distributions: Use package manager (apt/yum/dnf) to update kernel package. 3. Reboot system to load new kernel.

🔧 Temporary Workarounds

Unload flower classifier module

linux

Temporarily disable the vulnerable module if not required

sudo rmmod cls_flower

Block GENEVE packets

linux

Use iptables to block GENEVE packets (UDP port 6081)

sudo iptables -A INPUT -p udp --dport 6081 -j DROP
sudo iptables -A FORWARD -p udp --dport 6081 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate vulnerable systems
Deploy network intrusion prevention systems to detect and block malicious GENEVE packets

🔍 How to Verify

Check if Vulnerable:

Check kernel version: uname -r. If version is earlier than 6.3.7, system is vulnerable if cls_flower module is loaded.

Check Version:

uname -r

Verify Fix Applied:

After patching, verify kernel version is 6.3.7 or later with uname -r and ensure system remains stable under normal GENEVE traffic.

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages in /var/log/kern.log or dmesg
System crash/reboot logs
Unexpected process termination

Network Indicators:

Unusual GENEVE packet patterns (UDP port 6081)
Multiple malformed packet attempts from single source

SIEM Query:

source="kernel" AND ("panic" OR "Oops" OR "general protection fault") AND "cls_flower"

📊 Metadata

CVE ID: CVE-2023-35788

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: June 16, 2023

Last Updated: May 5, 2025

🔗 References

http://packetstormsecurity.com/files/174577/Kernel-Live-Patch-Security-Notice-LSN-0097-1.html Third Party Advisory,VDB Entry
http://www.openwall.com/lists/oss-security/2023/06/17/1 Exploit,Mailing List
https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.3.7 Mailing List,Patch
https://git.kernel.org/linus/4d56304e5827c8cc8cc18c75343d283af7c4825c Patch
https://lists.debian.org/debian-lts-announce/2023/07/msg00030.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20230714-0002/ Third Party Advisory
https://www.debian.org/security/2023/dsa-5448 Third Party Advisory
https://www.debian.org/security/2023/dsa-5480 Third Party Advisory
https://www.openwall.com/lists/oss-security/2023/06/07/1 Exploit,Mailing List
http://packetstormsecurity.com/files/174577/Kernel-Live-Patch-Security-Notice-LSN-0097-1.html Third Party Advisory,VDB Entry
http://www.openwall.com/lists/oss-security/2023/06/17/1 Exploit,Mailing List
https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.3.7 Mailing List,Patch
https://git.kernel.org/linus/4d56304e5827c8cc8cc18c75343d283af7c4825c Patch
https://lists.debian.org/debian-lts-announce/2023/07/msg00030.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20230714-0002/ Third Party Advisory
https://www.debian.org/security/2023/dsa-5448 Third Party Advisory
https://www.debian.org/security/2023/dsa-5480 Third Party Advisory
https://www.openwall.com/lists/oss-security/2023/06/07/1 Exploit,Mailing List

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Debian Linux by Debian

Debian Linux by Debian

H300s Firmware by Netapp

H410c Firmware by Netapp

H410s Firmware by Netapp

H500s Firmware by Netapp

H700s Firmware by Netapp

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Unload flower classifier module

Block GENEVE packets

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities