CVE-2023-52628 – This vulnerability in the Linux kernel's netfil... (How to Fix)

Q: What is the severity of CVE-2023-52628?

CVE-2023-52628 has a CVSS score of 7.1 (HIGH). This vulnerability in the Linux kernel's netfilter nftables exthdr component allows a 4-byte out-of-bounds stack write when processing network packets. Attackers with local or network access can exploit this to corrupt kernel memory, potentially leading to privilege escalation or denial of service. Systems running affected Linux kernel versions with nftables enabled are vulnerable.

📋 TL;DR

This vulnerability in the Linux kernel's netfilter nftables exthdr component allows a 4-byte out-of-bounds stack write when processing network packets. Attackers with local or network access can exploit this to corrupt kernel memory, potentially leading to privilege escalation or denial of service. Systems running affected Linux kernel versions with nftables enabled are vulnerable.

💻 Affected Systems

Products:

Linux kernel

Versions: Kernel versions from 4.1 through patched versions (specific commit ranges affected)

Operating Systems: All Linux distributions using affected kernel versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if nftables is enabled and configured with exthdr rules. Many distributions don't enable nftables by default.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash, or arbitrary code execution with kernel privileges resulting in full system compromise.

🟠

Likely Case

Kernel crash causing denial of service, or limited privilege escalation from unprivileged user to root.

🟢

If Mitigated

Minimal impact if nftables is disabled or systems are properly segmented with network filtering.

🌐 Internet-Facing: MEDIUM - Requires network access to trigger, but exploitation depends on nftables configuration and firewall rules.

🏢 Internal Only: MEDIUM - Local users can potentially exploit this for privilege escalation if they have network access to trigger the bug.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires sending specially crafted network packets to trigger the OOB write. The bug was reported by Zero Day Initiative, suggesting potential for weaponization.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patched in stable kernel commits referenced in CVE

Vendor Advisory: https://git.kernel.org/stable/c/1ad7b189cc1411048434e8595ffcbe7873b71082

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version from your distribution vendor. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.

🔧 Temporary Workarounds

Disable nftables

linux

Disable nftables firewall subsystem if not required

systemctl stop nftables
systemctl disable nftables

Remove exthdr rules

linux

Remove any nftables rules using exthdr matching

nft delete rule <table> <chain> handle <handle>
nft flush ruleset

🧯 If You Can't Patch

Implement network segmentation to limit access to vulnerable systems
Use host-based firewalls (iptables) instead of nftables if possible

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if nftables is active: uname -r && systemctl status nftables

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is patched and nftables service status: uname -r | grep -E 'patched_version_pattern'

📡 Detection & Monitoring

Log Indicators:

Kernel panic logs
System crash/reboot events
nftables rule processing errors

Network Indicators:

Unusual network packets targeting nftables ports
Traffic patterns attempting to trigger exthdr processing

SIEM Query:

source="kernel" AND ("panic" OR "Oops" OR "nft") OR source="auth" AND event="reboot"

📊 Metadata

CVE ID: CVE-2023-52628

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-787

Published: March 28, 2024

Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-52628, you might also want to check these: