Login Sign Up

CVE-2023-5197

7.8 HIGH

📋 TL;DR

This CVE describes a use-after-free vulnerability in the Linux kernel's netfilter nf_tables component. It allows local attackers to escalate privileges from an unprivileged user to root. All Linux systems using affected kernel versions with nf_tables enabled are vulnerable.

💻 Affected Systems

Products:
  • Linux Kernel
Versions: Kernel versions before commit f15f29fd4779be8a418b66e9d52979bb6d6c2325
Operating Systems: Linux distributions using affected kernel versions
Default Config Vulnerable: ⚠️ Yes
Notes: Requires nf_tables subsystem to be enabled/loaded. Most modern Linux distributions have this enabled by default.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full root privilege escalation leading to complete system compromise, data theft, and persistent backdoor installation.

🟠

Likely Case

Local privilege escalation allowing attackers to gain root access on compromised systems.

🟢

If Mitigated

Limited impact if proper access controls restrict local user accounts and kernel modules are hardened.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access.
🏢 Internal Only: HIGH - Any compromised local account can exploit this to gain root privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires local access and knowledge of kernel exploitation techniques. Public exploit code exists in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel with commit f15f29fd4779be8a418b66e9d52979bb6d6c2325 or later

Vendor Advisory: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f15f29fd4779be8a418b66e9d52979bb6d6c2325

Restart Required: Yes

Instructions:

1. Update kernel to version containing commit f15f29fd4779be8a418b66e9d52979bb6d6c2325. 2. Use distribution-specific package manager: 'apt update && apt upgrade' for Debian/Ubuntu, 'yum update' for RHEL/CentOS, 'zypper update' for SUSE. 3. Reboot system to load new kernel.

🔧 Temporary Workarounds

Disable nf_tables module

linux

Unload nf_tables kernel module to prevent exploitation

modprobe -r nf_tables
echo 'blacklist nf_tables' >> /etc/modprobe.d/blacklist.conf

Restrict local user access

all

Implement strict access controls to limit local user accounts

🧯 If You Can't Patch

  • Implement strict access controls and limit local user accounts
  • Use kernel live patching solutions if available for your distribution

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if commit f15f29fd4779be8a418b66e9d52979bb6d6c2325 is present: 'uname -r' and check git log or distribution security advisories.

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version after update and check that nf_tables module is either patched or disabled.

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic logs
  • OOM killer activity
  • Unusual privilege escalation in audit logs

Network Indicators:

  • None - this is a local exploit

SIEM Query:

Search for kernel panic events, privilege escalation attempts, or abnormal process behavior indicating kernel exploitation

📊 Metadata

CVE ID: CVE-2023-5197
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: September 27, 2023
Last Updated: December 11, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-5197, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)