CVE-2023-53198
📋 TL;DR
A NULL pointer dereference vulnerability in the Linux kernel's raw socket implementation allows local attackers to cause a kernel panic (denial of service) by accessing /proc/net/raw while raw sockets are being freed in parallel. This affects Linux systems with raw sockets enabled, primarily impacting servers and containers.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, potentially disrupting critical services.
Likely Case
Local denial of service through kernel crash or instability when raw sockets are actively used.
If Mitigated
Minimal impact if raw sockets are disabled or access to /proc/net/raw is restricted.
🎯 Exploit Status
Exploitation requires local access and ability to create raw sockets. The reproducer shows parallel execution of unshare and socket operations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions with commits 0a78cf7264d2, 67daeaecd70e, or b34056bedf04
Vendor Advisory: https://git.kernel.org/stable/c/0a78cf7264d29abeca098eae0b188a10aabc8a32
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution. 2. Reboot system to load new kernel. 3. Verify kernel version matches patched release.
🔧 Temporary Workarounds
Restrict raw socket access
LinuxLimit CAP_NET_RAW capability to prevent raw socket creation
sysctl -w net.ipv4.raw_l3_skb_accept=0
capsh --drop=cap_net_raw -- -c "your_command"
Restrict /proc/net/raw access
LinuxLimit read access to /proc/net/raw to prevent triggering the vulnerability
chmod 600 /proc/net/raw
setfacl -m u:root:r-- /proc/net/raw
🧯 If You Can't Patch
- Implement strict capability management to deny CAP_NET_RAW to untrusted users/containers
- Monitor for crash reports and kernel panics related to raw socket operations
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if raw sockets are enabled: cat /proc/sys/net/ipv4/raw_l3_skb_acceptCheck Version:
uname -rVerify Fix Applied:
Verify kernel version includes fix commits: grep -q "0a78cf7264d2\|67daeaecd70e\|b34056bedf04" /proc/version_signature📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages mentioning raw_get_next, raw_seq_start, or NULL pointer dereference in raw.c
Network Indicators:
- Unusual raw socket creation patterns from local users
SIEM Query:
event_type:"kernel_panic" AND message:"raw.c" OR process:"syz-executor"