Bug 2395846 (CVE-2023-53304)

Summary: CVE-2023-53304 kernel: Linux kernel: Denial of Service in netfilter due to improper garbage collection
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Linux kernel's netfilter component, specifically within the nft_set_rbtree module. A local user with low privileges could exploit an issue where the garbage collection mechanism fails to properly release memory during interval expiration walks. This can lead to a memory leak, potentially causing a Denial of Service (DoS) on the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-09-16 17:01:37 UTC 
In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_set_rbtree: fix overlap expiration walk

The lazy gc on insert that should remove timed-out entries fails to release
the other half of the interval, if any.

Can be reproduced with tests/shell/testcases/sets/0044interval_overlap_0
in nftables.git and kmemleak enabled kernel.

Second bug is the use of rbe_prev vs. prev pointer.
If rbe_prev() returns NULL after at least one iteration, rbe_prev points
to element that is not an end interval, hence it should not be removed.

Lastly, check the genmask of the end interval if this is active in the
current generation.
Comment 1 Jon Moroney 2025-09-16 18:58:00 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025091641-CVE-2023-53304-9a57@gregkh/T