CVE-2023-52925: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: don't fail inserts if duplicate has expired nftables selftests fail: run-tests.sh testcases/sets/0044interval_overlap_0 Expected: 0-2 . 0-3, got: W: [FAILED] ./testcases/sets/0044interval_overlap_0: got 1 Insertion must ignore duplicate but expired entries. Moreover, there is a strange asymmetry in nft_pipapo_activate: It refetches the current element, whereas the other ->activate callbacks (bitmap, hash, rhash, rbtree) use elem->priv. Same for .remove: other set implementations take elem->priv, nft_pipapo_remove fetches elem->priv, then does a relookup, remove this. I suspect this was the reason for the change that prompted the removal of the expired check in pipapo_get() in the first place, but skipping exired elements there makes no sense to me, this helper is used for normal get requests, insertions (duplicate check) and deactivate callback. In first two cases expired elements must be skipped. For ->deactivate(), this gets called for DELSETELEM, so it seems to me that expired elements should be skipped as well, i.e. delete request should fail with -ENOENT error.
AI Analysis
Technical Summary
CVE-2023-52925 is a vulnerability in the Linux kernel's netfilter subsystem, specifically within the nftables implementation. The issue relates to how nftables handles insertion of duplicate entries that have expired in its internal sets. Normally, when inserting entries, duplicates should be ignored if they have expired, but due to a flaw in the nft_pipapo set implementation, expired duplicates are not properly skipped, causing insertion failures. The vulnerability stems from inconsistent handling of expired elements across different callbacks (activate, remove, deactivate) and set implementations. The nft_pipapo implementation refetches elements unnecessarily and does not correctly skip expired entries during insertion and deletion operations. This leads to unexpected failures and potentially impacts the availability of nftables-based firewall rules or packet filtering operations. The vulnerability has a CVSS 3.1 base score of 6.2 (medium severity), with an attack vector of local (AV:L), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality or integrity impact (C:N/I:N), but high impact on availability (A:H). No known exploits are reported in the wild as of now. The affected versions are specific Linux kernel commits prior to the fix. The root cause is a logic flaw in handling expired entries in the nft_pipapo set type, causing insertion and deletion operations to fail incorrectly when duplicates have expired, which can disrupt firewall rule management and network traffic filtering.
Potential Impact
For European organizations relying on Linux-based systems for network infrastructure, servers, or embedded devices, this vulnerability could cause disruptions in firewall and packet filtering functionality. Since nftables is widely used as the default packet filtering framework in modern Linux distributions, failure to insert or delete rules correctly can lead to firewall misconfigurations or denial of service conditions where legitimate traffic is blocked or malicious traffic is not filtered. This impacts availability of network services and potentially exposes systems to increased risk if firewall rules cannot be reliably managed. Although the vulnerability requires local access to exploit and does not directly compromise confidentiality or integrity, the availability impact can be significant in critical infrastructure, data centers, or cloud environments prevalent in Europe. Organizations with automated firewall management relying on nftables sets could experience failures in rule updates, leading to operational disruptions. The lack of known exploits reduces immediate risk, but the medium severity and local attack vector mean that insider threats or compromised local users could trigger this issue.
Mitigation Recommendations
European organizations should promptly apply Linux kernel updates that include the fix for CVE-2023-52925. Since the vulnerability is in the nftables subsystem, updating to a patched kernel version is the most effective mitigation. Additionally, organizations should audit their firewall management processes to detect any failures or anomalies in rule insertions or deletions. Where possible, restrict local access to trusted users only, minimizing the risk of exploitation by unprivileged local attackers. For critical systems, consider implementing monitoring for nftables errors or failures in rule management to detect potential exploitation attempts or operational issues. In environments using custom nftables scripts or automation, validate that these scripts handle insertion failures gracefully and implement fallback mechanisms. Finally, maintain a robust patch management process to ensure timely deployment of kernel security updates across all Linux systems.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Belgium, Finland
CVE-2023-52925: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: don't fail inserts if duplicate has expired nftables selftests fail: run-tests.sh testcases/sets/0044interval_overlap_0 Expected: 0-2 . 0-3, got: W: [FAILED] ./testcases/sets/0044interval_overlap_0: got 1 Insertion must ignore duplicate but expired entries. Moreover, there is a strange asymmetry in nft_pipapo_activate: It refetches the current element, whereas the other ->activate callbacks (bitmap, hash, rhash, rbtree) use elem->priv. Same for .remove: other set implementations take elem->priv, nft_pipapo_remove fetches elem->priv, then does a relookup, remove this. I suspect this was the reason for the change that prompted the removal of the expired check in pipapo_get() in the first place, but skipping exired elements there makes no sense to me, this helper is used for normal get requests, insertions (duplicate check) and deactivate callback. In first two cases expired elements must be skipped. For ->deactivate(), this gets called for DELSETELEM, so it seems to me that expired elements should be skipped as well, i.e. delete request should fail with -ENOENT error.
AI-Powered Analysis
Technical Analysis
CVE-2023-52925 is a vulnerability in the Linux kernel's netfilter subsystem, specifically within the nftables implementation. The issue relates to how nftables handles insertion of duplicate entries that have expired in its internal sets. Normally, when inserting entries, duplicates should be ignored if they have expired, but due to a flaw in the nft_pipapo set implementation, expired duplicates are not properly skipped, causing insertion failures. The vulnerability stems from inconsistent handling of expired elements across different callbacks (activate, remove, deactivate) and set implementations. The nft_pipapo implementation refetches elements unnecessarily and does not correctly skip expired entries during insertion and deletion operations. This leads to unexpected failures and potentially impacts the availability of nftables-based firewall rules or packet filtering operations. The vulnerability has a CVSS 3.1 base score of 6.2 (medium severity), with an attack vector of local (AV:L), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality or integrity impact (C:N/I:N), but high impact on availability (A:H). No known exploits are reported in the wild as of now. The affected versions are specific Linux kernel commits prior to the fix. The root cause is a logic flaw in handling expired entries in the nft_pipapo set type, causing insertion and deletion operations to fail incorrectly when duplicates have expired, which can disrupt firewall rule management and network traffic filtering.
Potential Impact
For European organizations relying on Linux-based systems for network infrastructure, servers, or embedded devices, this vulnerability could cause disruptions in firewall and packet filtering functionality. Since nftables is widely used as the default packet filtering framework in modern Linux distributions, failure to insert or delete rules correctly can lead to firewall misconfigurations or denial of service conditions where legitimate traffic is blocked or malicious traffic is not filtered. This impacts availability of network services and potentially exposes systems to increased risk if firewall rules cannot be reliably managed. Although the vulnerability requires local access to exploit and does not directly compromise confidentiality or integrity, the availability impact can be significant in critical infrastructure, data centers, or cloud environments prevalent in Europe. Organizations with automated firewall management relying on nftables sets could experience failures in rule updates, leading to operational disruptions. The lack of known exploits reduces immediate risk, but the medium severity and local attack vector mean that insider threats or compromised local users could trigger this issue.
Mitigation Recommendations
European organizations should promptly apply Linux kernel updates that include the fix for CVE-2023-52925. Since the vulnerability is in the nftables subsystem, updating to a patched kernel version is the most effective mitigation. Additionally, organizations should audit their firewall management processes to detect any failures or anomalies in rule insertions or deletions. Where possible, restrict local access to trusted users only, minimizing the risk of exploitation by unprivileged local attackers. For critical systems, consider implementing monitoring for nftables errors or failures in rule management to detect potential exploitation attempts or operational issues. In environments using custom nftables scripts or automation, validate that these scripts handle insertion failures gracefully and implement fallback mechanisms. Finally, maintain a robust patch management process to ensure timely deployment of kernel security updates across all Linux systems.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-08-21T06:07:11.018Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9821c4522896dcbdd8ad
Added to database: 5/21/2025, 9:08:49 AM
Last enriched: 6/28/2025, 1:54:29 AM
Last updated: 7/31/2025, 12:30:43 PM
Views: 13
Related Threats
CVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.