CVE-2023-52574: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: team: fix null-ptr-deref when team device type is changed Get a null-ptr-deref bug as follows with reproducer [1]. BUG: kernel NULL pointer dereference, address: 0000000000000228 ... RIP: 0010:vlan_dev_hard_header+0x35/0x140 [8021q] ... Call Trace: <TASK> ? __die+0x24/0x70 ? page_fault_oops+0x82/0x150 ? exc_page_fault+0x69/0x150 ? asm_exc_page_fault+0x26/0x30 ? vlan_dev_hard_header+0x35/0x140 [8021q] ? vlan_dev_hard_header+0x8e/0x140 [8021q] neigh_connected_output+0xb2/0x100 ip6_finish_output2+0x1cb/0x520 ? nf_hook_slow+0x43/0xc0 ? ip6_mtu+0x46/0x80 ip6_finish_output+0x2a/0xb0 mld_sendpack+0x18f/0x250 mld_ifc_work+0x39/0x160 process_one_work+0x1e6/0x3f0 worker_thread+0x4d/0x2f0 ? __pfx_worker_thread+0x10/0x10 kthread+0xe5/0x120 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 [1] $ teamd -t team0 -d -c '{"runner": {"name": "loadbalance"}}' $ ip link add name t-dummy type dummy $ ip link add link t-dummy name t-dummy.100 type vlan id 100 $ ip link add name t-nlmon type nlmon $ ip link set t-nlmon master team0 $ ip link set t-nlmon nomaster $ ip link set t-dummy up $ ip link set team0 up $ ip link set t-dummy.100 down $ ip link set t-dummy.100 master team0 When enslave a vlan device to team device and team device type is changed from non-ether to ether, header_ops of team device is changed to vlan_header_ops. That is incorrect and will trigger null-ptr-deref for vlan->real_dev in vlan_dev_hard_header() because team device is not a vlan device. Cache eth_header_ops in team_setup(), then assign cached header_ops to header_ops of team net device when its type is changed from non-ether to ether to fix the bug.
AI Analysis
Technical Summary
CVE-2023-52574 is a vulnerability in the Linux kernel related to the handling of team network devices and VLAN (Virtual LAN) devices. Specifically, the issue arises when a VLAN device is enslaved to a team device, and the team device's type is changed from a non-Ethernet to an Ethernet device. The vulnerability is a null pointer dereference in the function vlan_dev_hard_header() within the 8021q module, which handles VLAN operations. This occurs because the header_ops pointer of the team device is incorrectly set to vlan_header_ops when the device type changes, even though the team device itself is not a VLAN device. As a result, vlan->real_dev is null, leading to a kernel NULL pointer dereference and a consequent kernel crash (BUG). The vulnerability can be reproduced by a sequence of network interface commands involving teamd, dummy interfaces, VLAN interfaces, and nlmon interfaces, which manipulate device types and master/slave relationships. The root cause is improper caching and assignment of header_ops during the team device type change. The fix involves caching the Ethernet header_ops in team_setup() and restoring it correctly when the device type changes from non-Ethernet to Ethernet, preventing the null pointer dereference. Although no known exploits are reported in the wild, the vulnerability can cause denial of service by crashing the kernel. It affects Linux kernel versions containing the specified commit hashes, and the issue was publicly disclosed in March 2024.
Potential Impact
For European organizations, this vulnerability poses a risk primarily of denial-of-service (DoS) attacks on Linux systems that use team devices combined with VLAN configurations. Team devices are often used in enterprise environments for network interface aggregation and load balancing, which are common in data centers, cloud infrastructures, and critical network appliances. A successful exploitation could crash the kernel, causing system downtime, disruption of network services, and potential loss of availability for critical applications. While this vulnerability does not directly lead to privilege escalation or data leakage, the resulting DoS could impact business continuity, especially for organizations relying on Linux-based network infrastructure. Given the widespread use of Linux in European enterprises, cloud providers, and telecom operators, the vulnerability could affect a broad range of sectors including finance, manufacturing, government, and telecommunications. The absence of known exploits reduces immediate risk, but the reproducible nature of the bug means attackers with local access or the ability to manipulate network interfaces could trigger the crash. This is particularly relevant for organizations with multi-tenant environments or those that allow untrusted users to configure network interfaces.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2023-52574 as soon as they become available from trusted sources or Linux distributions. 2. Audit and restrict permissions for users and processes that can create or modify team and VLAN network interfaces to trusted administrators only. 3. Monitor kernel logs and system behavior for signs of unexpected crashes or null pointer dereferences related to network device operations. 4. In environments where patching is delayed, consider disabling or avoiding the use of team devices combined with VLANs, or avoid changing team device types dynamically. 5. Employ kernel live patching solutions if available to minimize downtime while applying fixes. 6. Harden network interface configuration management by using configuration management tools that enforce validated settings and prevent unauthorized changes. 7. Conduct regular vulnerability assessments and penetration tests focusing on network device configurations to detect potential exploitation attempts.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Poland, Belgium, Finland
CVE-2023-52574: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: team: fix null-ptr-deref when team device type is changed Get a null-ptr-deref bug as follows with reproducer [1]. BUG: kernel NULL pointer dereference, address: 0000000000000228 ... RIP: 0010:vlan_dev_hard_header+0x35/0x140 [8021q] ... Call Trace: <TASK> ? __die+0x24/0x70 ? page_fault_oops+0x82/0x150 ? exc_page_fault+0x69/0x150 ? asm_exc_page_fault+0x26/0x30 ? vlan_dev_hard_header+0x35/0x140 [8021q] ? vlan_dev_hard_header+0x8e/0x140 [8021q] neigh_connected_output+0xb2/0x100 ip6_finish_output2+0x1cb/0x520 ? nf_hook_slow+0x43/0xc0 ? ip6_mtu+0x46/0x80 ip6_finish_output+0x2a/0xb0 mld_sendpack+0x18f/0x250 mld_ifc_work+0x39/0x160 process_one_work+0x1e6/0x3f0 worker_thread+0x4d/0x2f0 ? __pfx_worker_thread+0x10/0x10 kthread+0xe5/0x120 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 [1] $ teamd -t team0 -d -c '{"runner": {"name": "loadbalance"}}' $ ip link add name t-dummy type dummy $ ip link add link t-dummy name t-dummy.100 type vlan id 100 $ ip link add name t-nlmon type nlmon $ ip link set t-nlmon master team0 $ ip link set t-nlmon nomaster $ ip link set t-dummy up $ ip link set team0 up $ ip link set t-dummy.100 down $ ip link set t-dummy.100 master team0 When enslave a vlan device to team device and team device type is changed from non-ether to ether, header_ops of team device is changed to vlan_header_ops. That is incorrect and will trigger null-ptr-deref for vlan->real_dev in vlan_dev_hard_header() because team device is not a vlan device. Cache eth_header_ops in team_setup(), then assign cached header_ops to header_ops of team net device when its type is changed from non-ether to ether to fix the bug.
AI-Powered Analysis
Technical Analysis
CVE-2023-52574 is a vulnerability in the Linux kernel related to the handling of team network devices and VLAN (Virtual LAN) devices. Specifically, the issue arises when a VLAN device is enslaved to a team device, and the team device's type is changed from a non-Ethernet to an Ethernet device. The vulnerability is a null pointer dereference in the function vlan_dev_hard_header() within the 8021q module, which handles VLAN operations. This occurs because the header_ops pointer of the team device is incorrectly set to vlan_header_ops when the device type changes, even though the team device itself is not a VLAN device. As a result, vlan->real_dev is null, leading to a kernel NULL pointer dereference and a consequent kernel crash (BUG). The vulnerability can be reproduced by a sequence of network interface commands involving teamd, dummy interfaces, VLAN interfaces, and nlmon interfaces, which manipulate device types and master/slave relationships. The root cause is improper caching and assignment of header_ops during the team device type change. The fix involves caching the Ethernet header_ops in team_setup() and restoring it correctly when the device type changes from non-Ethernet to Ethernet, preventing the null pointer dereference. Although no known exploits are reported in the wild, the vulnerability can cause denial of service by crashing the kernel. It affects Linux kernel versions containing the specified commit hashes, and the issue was publicly disclosed in March 2024.
Potential Impact
For European organizations, this vulnerability poses a risk primarily of denial-of-service (DoS) attacks on Linux systems that use team devices combined with VLAN configurations. Team devices are often used in enterprise environments for network interface aggregation and load balancing, which are common in data centers, cloud infrastructures, and critical network appliances. A successful exploitation could crash the kernel, causing system downtime, disruption of network services, and potential loss of availability for critical applications. While this vulnerability does not directly lead to privilege escalation or data leakage, the resulting DoS could impact business continuity, especially for organizations relying on Linux-based network infrastructure. Given the widespread use of Linux in European enterprises, cloud providers, and telecom operators, the vulnerability could affect a broad range of sectors including finance, manufacturing, government, and telecommunications. The absence of known exploits reduces immediate risk, but the reproducible nature of the bug means attackers with local access or the ability to manipulate network interfaces could trigger the crash. This is particularly relevant for organizations with multi-tenant environments or those that allow untrusted users to configure network interfaces.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2023-52574 as soon as they become available from trusted sources or Linux distributions. 2. Audit and restrict permissions for users and processes that can create or modify team and VLAN network interfaces to trusted administrators only. 3. Monitor kernel logs and system behavior for signs of unexpected crashes or null pointer dereferences related to network device operations. 4. In environments where patching is delayed, consider disabling or avoiding the use of team devices combined with VLANs, or avoid changing team device types dynamically. 5. Employ kernel live patching solutions if available to minimize downtime while applying fixes. 6. Harden network interface configuration management by using configuration management tools that enforce validated settings and prevent unauthorized changes. 7. Conduct regular vulnerability assessments and penetration tests focusing on network device configurations to detect potential exploitation attempts.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-03-02T21:55:42.568Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9831c4522896dcbe7ced
Added to database: 5/21/2025, 9:09:05 AM
Last enriched: 7/1/2025, 10:26:20 AM
Last updated: 7/31/2025, 12:32:16 PM
Views: 12
Related Threats
Researcher to release exploit for full auth bypass on FortiWeb
HighCVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.