CVE-2023-35001 - Breaking Down the Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability

In 2023, security researchers found a serious vulnerability in the Linux kernel's nftables subsystem. Tracked as CVE-2023-35001, this bug allows an attacker to read and write outside the expected memory when manipulating nftables rulesets, a cornerstone of Linux firewalling. Understanding this bug is important for anyone running Linux firewalls, containers, and modern networking setups.

In this article, I'll explain the vulnerability in plain English, show snippet examples, and provide links to the best resources for further technical exploration. Let's break down how CVE-2023-35001 works, why it matters, and how to protect against it.

What Is nftables?

nftables is the standard packet filtering framework in Linux, replacing iptables. It lets administrators control network traffic with flexible rules.

## The Core Issue: Out-Of-Bounds (OOB) Read/Write

The vulnerability comes from the Linux kernel's nft_byteorder expression—an operator used in nftables rules to convert data between little and big endian formats. The bug is in how nft_byteorder handles internal registers when complex rulesets or garbage values are injected.

In short: a user with CAP_NET_ADMIN capability, even in a user or network namespace (like in Docker or LXC containers), can craft a ruleset that tricks the kernel into reading or writing outside the intended memory bounds. This can lead to leaking sensitive data, crashing the kernel, or in some scenarios, local privilege escalation.

Technical Details

When nftables rules are evaluated, the kernel uses a set of virtual machine (VM) registers. The core of the bug happens because nft_byteorder does not properly check if its input register state is valid, especially when a rule references uninitialized or out-of-range registers.

If the attacker loads crafted rules, they can execute a byteorder operation on a register containing arbitrary data. If this register has invalid values, the byteorder code can read or write outside its intended buffer (out-of-bounds).

This is the excerpt from the kernel patch

/* old (vulnerable) code snippet */
dst = &regs->data[dst_register][dst_offset];
src = &regs->data[src_register][src_offset];
// no checks on register numbers or offsets!
memcpy(dst, src, len);

With a malicious ruleset, these indexes (dst_register, dst_offset, etc.) can fall outside of the allocated memory, giving attackers a chance to read/write unintended kernel memory using just CAP_NET_ADMIN.

Load an nftables ruleset with malicious nft_byteorder operation (with registers set incorrectly).

3. Trigger kernel code execution with OOB read/write.

Proof-of-Concept Code Snippet

Here’s a simplified pseudo-example of how someone might trigger the bug. Please do not use this for malicious purposes!

#!/bin/bash
# You must run inside an unprivileged user or network namespace with CAP_NET_ADMIN

nft -f - <<EOF
table inet hack {
    chain input {
        type filter hook input priority ;
        # Intentionally buggy byteorder; src reg may be out-of-bounds!
        meta l4proto set @reg, nft_byteorder s16 reg 20 == x1234
    }
}
EOF

> This snippet is for educational purpose only. Actual weaponized exploits are more elaborate, but the core logic abuses improper register access.

How Dangerous Is This?

- High Impact: Allows attackers with limited privileges (just CAP_NET_ADMIN inside a namespace) to escape containers, read kernel memory, or potentially escalate privileges.
- Affects: Linux kernel versions from 5.13 (where the offending code was introduced) up to the fix in patch b73b2bf4078a

Solution

1. Update your Linux kernel to a version with the patch merged. Major distributions released patches quickly—check your distro's security advisories:
  - Red Hat
  - Ubuntu
  - Debian
  - Kernel patch diff

2. Restrict who gets CAP_NET_ADMIN, even inside containers. It's a powerful permission and should not be given to untrusted workloads.

Further Reading & Official References

- Git commit fixing CVE-2023-35001 (kernel.org)
- Red Hat CVE Database
- Nikolay Aleksandrov’s Patch Discussion
- nftables manpage
- Kernel Security Mailing List (oss-security) post

Conclusion

CVE-2023-35001 reminds us how crucial it is to validate kernel inputs, even when dealing with privileged operations inside containers or network namespaces. If you run a Linux server—especially one using containers or custom nftables rules—double check your kernel version and update as soon as possible.

Not only does this patch close a dangerous door, but it reaffirms why strict capability controls and regular patching are still the best defenses in Linux security.

Stay patched, stay safe!

*Disclaimer: This article is for educational purposes only. Do not abuse security vulnerabilities; always follow your organization’s and country’s laws.*

Timeline

Published on: 07/05/2023 19:15:00 UTC
Last modified on: 08/24/2023 19:15:00 UTC