Hello everyone! In today's in-depth analysis, we'll be discussing a newly-discovered vulnerability in the Linux kernel, specifically relating to the IP transforming packets framework (XFRM subsystem). This flaw is pretty dangerous as it could potentially let an attacker with CAP_NET_ADMIN privileges cause a kernel crash, leading to a denial of service. The security vulnerability is assigned with the identifier CVE-2023-3772.

Summary of the Vulnerability

The core of the issue lies in the Linux kernel's XFRM subsystem, which is responsible for IP packet transformations. It's responsible for handling things like encryption, compression, authentication, or tunneling protocols. In essence, the flaw allows a malicious user (with CAP_NET_ADMIN privileges) to directly dereference a NULL pointer in the xfrm_update_ae_params() function. This could lead to a kernel crash, causing a potential denial of service.

To better understand the issue, let's take a look at a code snippet demonstrating the problem

static int xfrm_update_ae_params(struct xfrm_state *x, struct xfrm_aevent_id *id, unsigned int *size)
    if (unlikely(!x))
        return -EINVAL;

    // ...

In this sample code, it's clear that there's no apparent check of the


parameter for a NULL value before being used elsewhere in the function. This can cause issues inside the code at later stages.

How to Exploit CVE-2023-3772

For an attacker to exploit this vulnerability, they would need CAP_NET_ADMIN privileges, which essentially grant the user administrative rights over network-related resources on the system. With those privileges, an attacker can manipulate the function's parameters (specifically setting NULL for id), directly dereference a NULL pointer, and ultimately cause a kernel crash – leading to a denial of service.

In order to further understand CVE-2023-3772 and keep yourself updated, make sure to check out these original references:

- CVE-2023-3772 Official Details
- Linux Kernel Documentation - XFRM
- Linux Kernel Source Code on GitHub


While this vulnerability may look somewhat trivial at first glance, it has the potential to be quite harmful if exploited by a malicious user with CAP_NET_ADMIN privileges. The good news is that once the vulnerability has been identified, Linux kernel developers can begin working on a patch to fix the issue.

In the meantime, it's crucial for system administrators and users to be aware of CVE-2023-3772 and take necessary steps to prevent malicious users from obtaining CAP_NET_ADMIN privileges in the first place. This can be achieved through proper configuration, securing network interfaces and services, and keeping kernel software up-to-date.


Published on: 07/25/2023 16:15:00 UTC
Last modified on: 09/10/2023 12:15:00 UTC