Use After Free in Linux Kernel
CVE-2023-3390
A use-after-free vulnerability was found in the Linux kernel's netfilter subsystem in net/netfilter/nf_tables_api.c. Mishandled error handling with NFT_MSG_NEWRULE makes it possible to use a dangling pointer in the same transaction causin…
Vulnerability class: Use-After-Free
EPSS: 0.001 (28.0th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 7.8 (High). Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
Affected products
- Linux Kernel — versions 3.16
Weakness classification (CWE)
Public proof-of-concept exploits
References
- git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/
- kernel.dance/1240eb93f0616b21c675416516ff3d74798fdc97
- www.debian.org/security/2023/dsa-5448
- www.debian.org/security/2023/dsa-5461
- lists.debian.org/debian-lts-announce/2023/08/msg00001.html
- security.netapp.com/advisory/ntap-20230818-0004/
- packetstormsecurity.com/files/174577/Kernel-Live-Patch-Security-Notice-LSN-0097…
- lists.debian.org/debian-lts-announce/2024/01/msg00004.html
Frequently asked questions
- What is CVE-2023-3390?
- CVE-2023-3390 is a high-severity vulnerability in Linux Kernel, classified under Use After Free. CVSS score: 7.8/10. Published 2023-06-28.
- How severe is CVE-2023-3390?
- High severity. CVSS v3 base score is 7.8 out of 10.
- Is CVE-2023-3390 known to be exploited?
- 8 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.