{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2023-53492","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-10-01T11:39:39.403Z","datePublished":"2025-10-01T11:45:44.019Z","dateUpdated":"2026-05-11T19:46:02.220Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:46:02.220Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: do not ignore genmask when looking up chain by id\n\nWhen adding a rule to a chain referring to its ID, if that chain had been\ndeleted on the same batch, the rule might end up referring to a deleted\nchain.\n\nThis will lead to a WARNING like following:\n\n[   33.098431] ------------[ cut here ]------------\n[   33.098678] WARNING: CPU: 5 PID: 69 at net/netfilter/nf_tables_api.c:2037 nf_tables_chain_destroy+0x23d/0x260\n[   33.099217] Modules linked in:\n[   33.099388] CPU: 5 PID: 69 Comm: kworker/5:1 Not tainted 6.4.0+ #409\n[   33.099726] Workqueue: events nf_tables_trans_destroy_work\n[   33.100018] RIP: 0010:nf_tables_chain_destroy+0x23d/0x260\n[   33.100306] Code: 8b 7c 24 68 e8 64 9c ed fe 4c 89 e7 e8 5c 9c ed fe 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 89 c6 89 c7 c3 cc cc cc cc <0f> 0b 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 89 c6 89 c7\n[   33.101271] RSP: 0018:ffffc900004ffc48 EFLAGS: 00010202\n[   33.101546] RAX: 0000000000000001 RBX: ffff888006fc0a28 RCX: 0000000000000000\n[   33.101920] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n[   33.102649] RBP: ffffc900004ffc78 R08: 0000000000000000 R09: 0000000000000000\n[   33.103018] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880135ef500\n[   33.103385] R13: 0000000000000000 R14: dead000000000122 R15: ffff888006fc0a10\n[   33.103762] FS:  0000000000000000(0000) GS:ffff888024c80000(0000) knlGS:0000000000000000\n[   33.104184] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[   33.104493] CR2: 00007fe863b56a50 CR3: 00000000124b0001 CR4: 0000000000770ee0\n[   33.104872] PKRU: 55555554\n[   33.104999] Call Trace:\n[   33.105113]  <TASK>\n[   33.105214]  ? show_regs+0x72/0x90\n[   33.105371]  ? __warn+0xa5/0x210\n[   33.105520]  ? nf_tables_chain_destroy+0x23d/0x260\n[   33.105732]  ? report_bug+0x1f2/0x200\n[   33.105902]  ? handle_bug+0x46/0x90\n[   33.106546]  ? exc_invalid_op+0x19/0x50\n[   33.106762]  ? asm_exc_invalid_op+0x1b/0x20\n[   33.106995]  ? nf_tables_chain_destroy+0x23d/0x260\n[   33.107249]  ? nf_tables_chain_destroy+0x30/0x260\n[   33.107506]  nf_tables_trans_destroy_work+0x669/0x680\n[   33.107782]  ? mark_held_locks+0x28/0xa0\n[   33.107996]  ? __pfx_nf_tables_trans_destroy_work+0x10/0x10\n[   33.108294]  ? _raw_spin_unlock_irq+0x28/0x70\n[   33.108538]  process_one_work+0x68c/0xb70\n[   33.108755]  ? lock_acquire+0x17f/0x420\n[   33.108977]  ? __pfx_process_one_work+0x10/0x10\n[   33.109218]  ? do_raw_spin_lock+0x128/0x1d0\n[   33.109435]  ? _raw_spin_lock_irq+0x71/0x80\n[   33.109634]  worker_thread+0x2bd/0x700\n[   33.109817]  ? __pfx_worker_thread+0x10/0x10\n[   33.110254]  kthread+0x18b/0x1d0\n[   33.110410]  ? __pfx_kthread+0x10/0x10\n[   33.110581]  ret_from_fork+0x29/0x50\n[   33.110757]  </TASK>\n[   33.110866] irq event stamp: 1651\n[   33.111017] hardirqs last  enabled at (1659): [<ffffffffa206a209>] __up_console_sem+0x79/0xa0\n[   33.111379] hardirqs last disabled at (1666): [<ffffffffa206a1ee>] __up_console_sem+0x5e/0xa0\n[   33.111740] softirqs last  enabled at (1616): [<ffffffffa1f5d40e>] __irq_exit_rcu+0x9e/0xe0\n[   33.112094] softirqs last disabled at (1367): [<ffffffffa1f5d40e>] __irq_exit_rcu+0x9e/0xe0\n[   33.112453] ---[ end trace 0000000000000000 ]---\n\nThis is due to the nft_chain_lookup_byid ignoring the genmask. After this\nchange, adding the new rule will fail as it will not find the chain."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/netfilter/nf_tables_api.c"],"versions":[{"version":"837830a4b439bfeb86c70b0115c280377c84714b","lessThan":"4ae2e501331aaa506eaf760339bb2f43e5769395","status":"affected","versionType":"git"},{"version":"837830a4b439bfeb86c70b0115c280377c84714b","lessThan":"041e2ac88caef286b39064e83e825e3f53113d36","status":"affected","versionType":"git"},{"version":"837830a4b439bfeb86c70b0115c280377c84714b","lessThan":"fc95c8b02c6160936f1f3d8d9d7f4f66f3c84b49","status":"affected","versionType":"git"},{"version":"837830a4b439bfeb86c70b0115c280377c84714b","lessThan":"5e5e967e8505fbdabfb6497367ec1b808cadc356","status":"affected","versionType":"git"},{"version":"837830a4b439bfeb86c70b0115c280377c84714b","lessThan":"515ad530795c118f012539ed76d02bacfd426d89","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/netfilter/nf_tables_api.c"],"versions":[{"version":"5.9","status":"affected"},{"version":"0","lessThan":"5.9","status":"unaffected","versionType":"semver"},{"version":"5.10.188","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.121","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.39","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.4.4","lessThanOrEqual":"6.4.*","status":"unaffected","versionType":"semver"},{"version":"6.5","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"5.10.188"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"5.15.121"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"6.1.39"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"6.4.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"6.5"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/4ae2e501331aaa506eaf760339bb2f43e5769395"},{"url":"https://git.kernel.org/stable/c/041e2ac88caef286b39064e83e825e3f53113d36"},{"url":"https://git.kernel.org/stable/c/fc95c8b02c6160936f1f3d8d9d7f4f66f3c84b49"},{"url":"https://git.kernel.org/stable/c/5e5e967e8505fbdabfb6497367ec1b808cadc356"},{"url":"https://git.kernel.org/stable/c/515ad530795c118f012539ed76d02bacfd426d89"}],"title":"netfilter: nf_tables: do not ignore genmask when looking up chain by id","x_generator":{"engine":"bippy-1.2.0"}}}}