Login Sign Up

CVE-2023-3777

7.8 HIGH

📋 TL;DR

This CVE describes a use-after-free vulnerability in the Linux kernel's netfilter nf_tables component. It allows a local attacker to escalate privileges from an unprivileged user to root. Any Linux system using an affected kernel version with nf_tables enabled is vulnerable.

💻 Affected Systems

Products:
  • Linux kernel
Versions: Kernel versions before commit 6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8
Operating Systems: Linux distributions using vulnerable kernel versions
Default Config Vulnerable: ⚠️ Yes
Notes: Requires nf_tables subsystem to be enabled (common in modern kernels). Systems with CONFIG_NF_TABLES=n are not vulnerable.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full root compromise of the system, allowing complete control, data theft, persistence, and lateral movement.

🟠

Likely Case

Local privilege escalation to root by an authenticated low-privilege user or malicious insider.

🟢

If Mitigated

Limited impact if proper access controls, SELinux/AppArmor, and kernel hardening are in place.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access.
🏢 Internal Only: HIGH - Any compromised low-privilege account or malicious insider can exploit this to gain root.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploit requires local access and knowledge of kernel exploitation techniques. Public exploit code exists in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel with commit 6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8 or later

Vendor Advisory: https://www.debian.org/security/2023/dsa-5492

Restart Required: Yes

Instructions:

1. Update kernel package via distribution's package manager. 2. For Debian/Ubuntu: apt update && apt upgrade linux-image-*. 3. For RHEL/CentOS: yum update kernel. 4. Reboot system to load new kernel.

🔧 Temporary Workarounds

Disable nf_tables module

linux

Unload nf_tables kernel module if not required

modprobe -r nf_tables
echo 'blacklist nf_tables' >> /etc/modprobe.d/blacklist.conf

Restrict user access

all

Limit local user accounts and implement strict access controls

🧯 If You Can't Patch

  • Implement strict access controls and limit local user accounts
  • Use SELinux/AppArmor to restrict kernel access and containerize applications

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if nf_tables is loaded: uname -r && lsmod | grep nf_tables

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version includes the fix commit: grep -q '6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8' /proc/version_signature || echo 'Check kernel changelog'

📡 Detection & Monitoring

Log Indicators:

  • Kernel oops messages
  • Unexpected privilege escalation in audit logs
  • nf_tables related crashes in dmesg

SIEM Query:

source="kernel" AND ("nf_tables" OR "use-after-free") OR event="privilege_escalation"

📊 Metadata

CVE ID: CVE-2023-3777
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: September 6, 2023
Last Updated: March 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-3777, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)