CVE-2023-35788: n/a in n/a
An issue was discovered in fl_set_geneve_opt in net/sched/cls_flower.c in the Linux kernel before 6.3.7. It allows an out-of-bounds write in the flower classifier code via TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets. This may result in denial of service or privilege escalation.
AI Analysis
Technical Summary
CVE-2023-35788 is a high-severity vulnerability identified in the Linux kernel's network scheduler component, specifically within the flower classifier code located in the file net/sched/cls_flower.c. The flaw arises in the function fl_set_geneve_opt, which processes Geneve encapsulation options in network packets. This vulnerability is an out-of-bounds write (CWE-787) triggered by malformed TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets. An attacker with limited privileges (local access with low complexity) can exploit this flaw to write data beyond the intended buffer boundaries. The consequences of this out-of-bounds write include potential denial of service (system crashes or kernel panics) or privilege escalation, allowing an attacker to gain higher system privileges. The vulnerability affects Linux kernel versions prior to 6.3.7, and no public exploits have been reported in the wild as of the publication date (June 16, 2023). The CVSS v3.1 base score is 7.8, reflecting high impact on confidentiality, integrity, and availability, with attack vector limited to local access, requiring low privileges and no user interaction. The vulnerability is particularly critical because the Linux kernel is a core component of many operating systems, including those widely used in enterprise and cloud environments. The flower classifier is used for advanced packet filtering and traffic control, often in data center and network infrastructure contexts. Exploitation could allow attackers to disrupt network functions or escalate privileges on affected systems.
Potential Impact
For European organizations, this vulnerability poses significant risks, especially for those relying on Linux-based infrastructure in data centers, cloud services, and network equipment. The potential for denial of service could disrupt critical business operations, while privilege escalation could lead to unauthorized access to sensitive data and systems. Industries such as telecommunications, finance, government, and critical infrastructure operators that use Linux extensively for networking and server environments are particularly vulnerable. Given the kernel-level nature of the flaw, successful exploitation could compromise entire systems, impacting confidentiality, integrity, and availability of data and services. Additionally, organizations using containerized environments or virtualized network functions that depend on the Linux kernel's networking stack may also be at risk. The absence of known exploits in the wild reduces immediate threat but does not eliminate the risk, as attackers may develop exploits over time. Therefore, European organizations must prioritize patching and mitigation to prevent potential exploitation.
Mitigation Recommendations
1. Apply kernel updates: Organizations should promptly update Linux systems to kernel version 6.3.7 or later, where this vulnerability is patched. If immediate upgrade is not feasible, consider backported patches from trusted vendors. 2. Restrict local access: Limit user privileges and restrict local access to systems running vulnerable kernels to trusted personnel only. Employ strict access controls and monitoring to detect suspicious activity. 3. Network segmentation: Isolate critical systems and network infrastructure to reduce the attack surface and limit potential lateral movement in case of exploitation. 4. Monitor kernel logs and network traffic: Implement enhanced logging and anomaly detection focused on flower classifier usage and Geneve packet processing to identify potential exploitation attempts. 5. Harden container and virtualization environments: Ensure that container runtimes and virtual network functions are running on patched kernels and apply security best practices to minimize privilege escalation risks. 6. Vendor coordination: Engage with Linux distribution vendors and infrastructure providers to track patch availability and deployment status. 7. Incident response readiness: Prepare for potential exploitation scenarios by establishing clear response procedures and backup strategies to minimize downtime and data loss.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2023-35788: n/a in n/a
Description
An issue was discovered in fl_set_geneve_opt in net/sched/cls_flower.c in the Linux kernel before 6.3.7. It allows an out-of-bounds write in the flower classifier code via TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets. This may result in denial of service or privilege escalation.
AI-Powered Analysis
Technical Analysis
CVE-2023-35788 is a high-severity vulnerability identified in the Linux kernel's network scheduler component, specifically within the flower classifier code located in the file net/sched/cls_flower.c. The flaw arises in the function fl_set_geneve_opt, which processes Geneve encapsulation options in network packets. This vulnerability is an out-of-bounds write (CWE-787) triggered by malformed TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets. An attacker with limited privileges (local access with low complexity) can exploit this flaw to write data beyond the intended buffer boundaries. The consequences of this out-of-bounds write include potential denial of service (system crashes or kernel panics) or privilege escalation, allowing an attacker to gain higher system privileges. The vulnerability affects Linux kernel versions prior to 6.3.7, and no public exploits have been reported in the wild as of the publication date (June 16, 2023). The CVSS v3.1 base score is 7.8, reflecting high impact on confidentiality, integrity, and availability, with attack vector limited to local access, requiring low privileges and no user interaction. The vulnerability is particularly critical because the Linux kernel is a core component of many operating systems, including those widely used in enterprise and cloud environments. The flower classifier is used for advanced packet filtering and traffic control, often in data center and network infrastructure contexts. Exploitation could allow attackers to disrupt network functions or escalate privileges on affected systems.
Potential Impact
For European organizations, this vulnerability poses significant risks, especially for those relying on Linux-based infrastructure in data centers, cloud services, and network equipment. The potential for denial of service could disrupt critical business operations, while privilege escalation could lead to unauthorized access to sensitive data and systems. Industries such as telecommunications, finance, government, and critical infrastructure operators that use Linux extensively for networking and server environments are particularly vulnerable. Given the kernel-level nature of the flaw, successful exploitation could compromise entire systems, impacting confidentiality, integrity, and availability of data and services. Additionally, organizations using containerized environments or virtualized network functions that depend on the Linux kernel's networking stack may also be at risk. The absence of known exploits in the wild reduces immediate threat but does not eliminate the risk, as attackers may develop exploits over time. Therefore, European organizations must prioritize patching and mitigation to prevent potential exploitation.
Mitigation Recommendations
1. Apply kernel updates: Organizations should promptly update Linux systems to kernel version 6.3.7 or later, where this vulnerability is patched. If immediate upgrade is not feasible, consider backported patches from trusted vendors. 2. Restrict local access: Limit user privileges and restrict local access to systems running vulnerable kernels to trusted personnel only. Employ strict access controls and monitoring to detect suspicious activity. 3. Network segmentation: Isolate critical systems and network infrastructure to reduce the attack surface and limit potential lateral movement in case of exploitation. 4. Monitor kernel logs and network traffic: Implement enhanced logging and anomaly detection focused on flower classifier usage and Geneve packet processing to identify potential exploitation attempts. 5. Harden container and virtualization environments: Ensure that container runtimes and virtual network functions are running on patched kernels and apply security best practices to minimize privilege escalation risks. 6. Vendor coordination: Engage with Linux distribution vendors and infrastructure providers to track patch availability and deployment status. 7. Incident response readiness: Prepare for potential exploitation scenarios by establishing clear response procedures and backup strategies to minimize downtime and data loss.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2023-06-16T00:00:00.000Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d981fc4522896dcbdc668
Added to database: 5/21/2025, 9:08:47 AM
Last enriched: 7/3/2025, 12:58:11 PM
Last updated: 7/31/2025, 6:13:40 AM
Views: 8
Related Threats
Top Israeli Cybersecurity Director Arrested in US Child Exploitation Sting
HighCVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighCVE-2025-8105: CWE-94 Improper Control of Generation of Code ('Code Injection') in pencidesign Soledad
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.