{"id":"CVE-2023-54243","summary":"netfilter: ebtables: fix table blob use-after-free","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ebtables: fix table blob use-after-free\n\nWe are not allowed to return an error at this point.\nLooking at the code it looks like ret is always 0 at this\npoint, but its not.\n\nt = find_table_lock(net, repl-\u003ename, &ret, &ebt_mutex);\n\n... this can return a valid table, with ret != 0.\n\nThis bug causes update of table-\u003eprivate with the new\nblob, but then frees the blob right away in the caller.\n\nSyzbot report:\n\nBUG: KASAN: vmalloc-out-of-bounds in __ebt_unregister_table+0xc00/0xcd0 net/bridge/netfilter/ebtables.c:1168\nRead of size 4 at addr ffffc90005425000 by task kworker/u4:4/74\nWorkqueue: netns cleanup_net\nCall Trace:\n kasan_report+0xbf/0x1f0 mm/kasan/report.c:517\n __ebt_unregister_table+0xc00/0xcd0 net/bridge/netfilter/ebtables.c:1168\n ebt_unregister_table+0x35/0x40 net/bridge/netfilter/ebtables.c:1372\n ops_exit_list+0xb0/0x170 net/core/net_namespace.c:169\n cleanup_net+0x4ee/0xb10 net/core/net_namespace.c:613\n...\n\nip(6)tables appears to be ok (ret should be 0 at this point) but make\nthis more obvious.","modified":"2026-04-02T09:45:42.233772Z","published":"2025-12-30T12:11:31.180Z","related":["SUSE-SU-2026:0350-1","SUSE-SU-2026:0369-1","SUSE-SU-2026:0411-1","SUSE-SU-2026:0473-1","SUSE-SU-2026:0474-1","SUSE-SU-2026:0496-1","SUSE-SU-2026:0617-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54243.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/3dd6ac973351308d4117eda32298a9f1d68764fd"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9060abce3305ab2354c892c09d5689df51486df5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/cda0e0243bd3c04008fcd37a46b0269fb3c49249"},{"type":"WEB","url":"https://git.kernel.org/stable/c/dbb3cbbf03b3c52cb390fabec357f1e4638004f5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e58a171d35e32e6e8c37cfe0e8a94406732a331f"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54243.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-54243"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"c58dd2dd443c26d856a168db108a0cd11c285bf3"},{"fixed":"9060abce3305ab2354c892c09d5689df51486df5"},{"fixed":"dbb3cbbf03b3c52cb390fabec357f1e4638004f5"},{"fixed":"3dd6ac973351308d4117eda32298a9f1d68764fd"},{"fixed":"cda0e0243bd3c04008fcd37a46b0269fb3c49249"},{"fixed":"e58a171d35e32e6e8c37cfe0e8a94406732a331f"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"a3bc0f8ea439762aa62d40a295157410498cbea7"},{"last_affected":"8ed40c122919cd79bc3c059e5864e5e7d9d455f0"},{"last_affected":"c5e4ef499cfc78de45a4f01b8c557b5964d77c53"},{"last_affected":"f34728610b2a8c7b9864f9404f2884c17f6fca5c"},{"last_affected":"8b5740915a9faa8b1fa9166193a33e2a9ae30ec6"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-54243.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"3.15.0"},{"fixed":"5.10.173"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.100"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.18"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.2.5"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-54243.json"}}],"schema_version":"1.7.5"}