{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2023-54243","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-12-30T12:06:44.510Z","datePublished":"2025-12-30T12:11:31.180Z","dateUpdated":"2026-05-11T19:58:13.274Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:58:13.274Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ebtables: fix table blob use-after-free\n\nWe are not allowed to return an error at this point.\nLooking at the code it looks like ret is always 0 at this\npoint, but its not.\n\nt = find_table_lock(net, repl->name, &ret, &ebt_mutex);\n\n... this can return a valid table, with ret != 0.\n\nThis bug causes update of table->private with the new\nblob, but then frees the blob right away in the caller.\n\nSyzbot report:\n\nBUG: KASAN: vmalloc-out-of-bounds in __ebt_unregister_table+0xc00/0xcd0 net/bridge/netfilter/ebtables.c:1168\nRead of size 4 at addr ffffc90005425000 by task kworker/u4:4/74\nWorkqueue: netns cleanup_net\nCall Trace:\n kasan_report+0xbf/0x1f0 mm/kasan/report.c:517\n __ebt_unregister_table+0xc00/0xcd0 net/bridge/netfilter/ebtables.c:1168\n ebt_unregister_table+0x35/0x40 net/bridge/netfilter/ebtables.c:1372\n ops_exit_list+0xb0/0x170 net/core/net_namespace.c:169\n cleanup_net+0x4ee/0xb10 net/core/net_namespace.c:613\n...\n\nip(6)tables appears to be ok (ret should be 0 at this point) but make\nthis more obvious."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/bridge/netfilter/ebtables.c","net/ipv4/netfilter/ip_tables.c","net/ipv6/netfilter/ip6_tables.c"],"versions":[{"version":"c58dd2dd443c26d856a168db108a0cd11c285bf3","lessThan":"9060abce3305ab2354c892c09d5689df51486df5","status":"affected","versionType":"git"},{"version":"c58dd2dd443c26d856a168db108a0cd11c285bf3","lessThan":"dbb3cbbf03b3c52cb390fabec357f1e4638004f5","status":"affected","versionType":"git"},{"version":"c58dd2dd443c26d856a168db108a0cd11c285bf3","lessThan":"3dd6ac973351308d4117eda32298a9f1d68764fd","status":"affected","versionType":"git"},{"version":"c58dd2dd443c26d856a168db108a0cd11c285bf3","lessThan":"cda0e0243bd3c04008fcd37a46b0269fb3c49249","status":"affected","versionType":"git"},{"version":"c58dd2dd443c26d856a168db108a0cd11c285bf3","lessThan":"e58a171d35e32e6e8c37cfe0e8a94406732a331f","status":"affected","versionType":"git"},{"version":"a3bc0f8ea439762aa62d40a295157410498cbea7","status":"affected","versionType":"git"},{"version":"8ed40c122919cd79bc3c059e5864e5e7d9d455f0","status":"affected","versionType":"git"},{"version":"c5e4ef499cfc78de45a4f01b8c557b5964d77c53","status":"affected","versionType":"git"},{"version":"f34728610b2a8c7b9864f9404f2884c17f6fca5c","status":"affected","versionType":"git"},{"version":"8b5740915a9faa8b1fa9166193a33e2a9ae30ec6","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/bridge/netfilter/ebtables.c","net/ipv4/netfilter/ip_tables.c","net/ipv6/netfilter/ip6_tables.c"],"versions":[{"version":"3.15","status":"affected"},{"version":"0","lessThan":"3.15","status":"unaffected","versionType":"semver"},{"version":"5.10.173","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.100","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.18","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.2.5","lessThanOrEqual":"6.2.*","status":"unaffected","versionType":"semver"},{"version":"6.3","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.15","versionEndExcluding":"5.10.173"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.15","versionEndExcluding":"5.15.100"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.15","versionEndExcluding":"6.1.18"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.15","versionEndExcluding":"6.2.5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.15","versionEndExcluding":"6.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.2.60"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.4.91"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10.41"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.12.21"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.14.5"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/9060abce3305ab2354c892c09d5689df51486df5"},{"url":"https://git.kernel.org/stable/c/dbb3cbbf03b3c52cb390fabec357f1e4638004f5"},{"url":"https://git.kernel.org/stable/c/3dd6ac973351308d4117eda32298a9f1d68764fd"},{"url":"https://git.kernel.org/stable/c/cda0e0243bd3c04008fcd37a46b0269fb3c49249"},{"url":"https://git.kernel.org/stable/c/e58a171d35e32e6e8c37cfe0e8a94406732a331f"}],"title":"netfilter: ebtables: fix table blob use-after-free","x_generator":{"engine":"bippy-1.2.0"}}}}