A flaw in the Linux Kernel found in the Netfilter nf_tables (net/netfilter/nf_tables_api.c). It can lead to use after free vulnerability in nftables when handling sets that are both named and anonymous in batch requests. Nftables allows creating a named set that can be also marked as anonymous by setting the NFT_SET_ANONYMOUS flag. When a rule referencing this malformed set is destroyed, the set gets destroyed as well, as the set is marked anonymous. It is possible to get nftables to destroy the rule, by mangling certain bytes within the rule's bytecode. As this is a named set, the set can be referenced in a different rule at which point it triggers a use after free. The caveat is that all of this needs to be performed in a batch transaction. This is because the reference of any set created in a batch transaction remains in the transactions list even after the set is destroyed. Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1240eb93f0616b21c675416516ff3d74798fdc97
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2218699]
I think this is a duplicate CVE assignment for CVE-2023-3390. Can you please reject this CVE?
This was fixed for Fedora with the 6.3.9 stable kernel updates.
*** Bug 2218605 has been marked as a duplicate of this bug. ***
In reply to comment #19: > I think this is a duplicate CVE assignment for CVE-2023-3390. Can you please > reject this CVE? Done. Closed the CVE-2023-3390. Asked https://cveform.mitre.org/ to mark CVE-2023-3390 as duplicate of the CVE-2023-3117.
Alex, I believe it should be the other way around. CVE-2023-3390 assigned by Google LLC was published earlier than the CVE-2023-3117 assigned by Red Hat, Inc. A query to MITRE CNA seems to indicate the same, that CVE-2023-3390 should be kept and CVE-2023-3117 rejected at CNA level.
I see that this might have been confusing by my saying "this CVE", I should have explicitly said it is CVE-2023-3117 to be rejected.
In reply to comment #24: > Alex, I believe it should be the other way around. CVE-2023-3390 assigned by > Google LLC was published earlier than the CVE-2023-3117 assigned by Red Hat, > Inc. A query to MITRE CNA seems to indicate the same, that CVE-2023-3390 > should be kept and CVE-2023-3117 rejected at CNA level. I missed this. Updated this one from CVE-2023-3117 to the CVE-2023-3390. Asked https://cveform.mitre.org/ again regarding this. Thank you.
(In reply to Alex from comment #26) > In reply to comment #24: > > Alex, I believe it should be the other way around. CVE-2023-3390 assigned by > > Google LLC was published earlier than the CVE-2023-3117 assigned by Red Hat, > > Inc. A query to MITRE CNA seems to indicate the same, that CVE-2023-3390 > > should be kept and CVE-2023-3117 rejected at CNA level. > > I missed this. Updated this one from CVE-2023-3117 to the CVE-2023-3390. > Asked https://cveform.mitre.org/ again regarding this. > Thank you. Thank you!
*** Bug 2227020 has been marked as a duplicate of this bug. ***