5.5
MEDIUM
CVE-2023-52574
Linux Team Device Ether Type Change Null Pointer Dereference
Description

In the Linux kernel, the following vulnerability has been resolved: team: fix null-ptr-deref when team device type is changed Get a null-ptr-deref bug as follows with reproducer [1]. BUG: kernel NULL pointer dereference, address: 0000000000000228 ... RIP: 0010:vlan_dev_hard_header+0x35/0x140 [8021q] ... Call Trace: <TASK> ? __die+0x24/0x70 ? page_fault_oops+0x82/0x150 ? exc_page_fault+0x69/0x150 ? asm_exc_page_fault+0x26/0x30 ? vlan_dev_hard_header+0x35/0x140 [8021q] ? vlan_dev_hard_header+0x8e/0x140 [8021q] neigh_connected_output+0xb2/0x100 ip6_finish_output2+0x1cb/0x520 ? nf_hook_slow+0x43/0xc0 ? ip6_mtu+0x46/0x80 ip6_finish_output+0x2a/0xb0 mld_sendpack+0x18f/0x250 mld_ifc_work+0x39/0x160 process_one_work+0x1e6/0x3f0 worker_thread+0x4d/0x2f0 ? __pfx_worker_thread+0x10/0x10 kthread+0xe5/0x120 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 [1] $ teamd -t team0 -d -c '{"runner": {"name": "loadbalance"}}' $ ip link add name t-dummy type dummy $ ip link add link t-dummy name t-dummy.100 type vlan id 100 $ ip link add name t-nlmon type nlmon $ ip link set t-nlmon master team0 $ ip link set t-nlmon nomaster $ ip link set t-dummy up $ ip link set team0 up $ ip link set t-dummy.100 down $ ip link set t-dummy.100 master team0 When enslave a vlan device to team device and team device type is changed from non-ether to ether, header_ops of team device is changed to vlan_header_ops. That is incorrect and will trigger null-ptr-deref for vlan->real_dev in vlan_dev_hard_header() because team device is not a vlan device. Cache eth_header_ops in team_setup(), then assign cached header_ops to header_ops of team net device when its type is changed from non-ether to ether to fix the bug.

INFO

Published Date :

March 2, 2024, 10:15 p.m.

Last Modified :

Dec. 11, 2024, 3:30 p.m.

Source :

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Remotely Exploitable :

No

Impact Score :

3.6

Exploitability Score :

1.8
Affected Products

The following products are affected by CVE-2023-52574 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Linux linux_kernel
: Total Affected Vendor : 1 | Products : 1
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2023-52574.

URL Resource
https://git.kernel.org/stable/c/1779eb51b9cc628cee551f252701a85a2a50a457 Patch
https://git.kernel.org/stable/c/2f0acb0736ecc3eb85dc80ad2790d634dcb10b58 Patch
https://git.kernel.org/stable/c/492032760127251e5540a5716a70996bacf2a3fd Patch
https://git.kernel.org/stable/c/a7fb47b9711101d2405b0eb1276fb1f9b9b270c7 Patch
https://git.kernel.org/stable/c/b44dd92e2afd89eb6e9d27616858e72a67bdc1a7 Patch
https://git.kernel.org/stable/c/c5f6478686bb45f453031594ae19b6c9723a780d Patch
https://git.kernel.org/stable/c/cac50d9f5d876be32cb9aa21c74018468900284d Patch
https://git.kernel.org/stable/c/cd05eec2ee0cc396813a32ef675634e403748255 Patch
https://git.kernel.org/stable/c/1779eb51b9cc628cee551f252701a85a2a50a457 Patch
https://git.kernel.org/stable/c/2f0acb0736ecc3eb85dc80ad2790d634dcb10b58 Patch
https://git.kernel.org/stable/c/492032760127251e5540a5716a70996bacf2a3fd Patch
https://git.kernel.org/stable/c/a7fb47b9711101d2405b0eb1276fb1f9b9b270c7 Patch
https://git.kernel.org/stable/c/b44dd92e2afd89eb6e9d27616858e72a67bdc1a7 Patch
https://git.kernel.org/stable/c/c5f6478686bb45f453031594ae19b6c9723a780d Patch
https://git.kernel.org/stable/c/cac50d9f5d876be32cb9aa21c74018468900284d Patch
https://git.kernel.org/stable/c/cd05eec2ee0cc396813a32ef675634e403748255 Patch

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2023-52574 vulnerability anywhere in the article.

The following table lists the changes that have been made to the CVE-2023-52574 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Initial Analysis by [email protected]

    Dec. 11, 2024

    Action Type Old Value New Value
    Added CVSS V3.1 NIST AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
    Added CWE NIST CWE-476
    Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 3.7 up to (excluding) 4.14.327 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.15 up to (excluding) 4.19.296 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.20 up to (excluding) 5.4.258 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.5 up to (excluding) 5.10.198 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11 up to (excluding) 5.15.134 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16 up to (excluding) 6.1.56 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.2 up to (excluding) 6.5.6 *cpe:2.3:o:linux:linux_kernel:6.6:rc1:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.6:rc2:*:*:*:*:*:*
    Changed Reference Type https://git.kernel.org/stable/c/1779eb51b9cc628cee551f252701a85a2a50a457 No Types Assigned https://git.kernel.org/stable/c/1779eb51b9cc628cee551f252701a85a2a50a457 Patch
    Changed Reference Type https://git.kernel.org/stable/c/1779eb51b9cc628cee551f252701a85a2a50a457 No Types Assigned https://git.kernel.org/stable/c/1779eb51b9cc628cee551f252701a85a2a50a457 Patch
    Changed Reference Type https://git.kernel.org/stable/c/2f0acb0736ecc3eb85dc80ad2790d634dcb10b58 No Types Assigned https://git.kernel.org/stable/c/2f0acb0736ecc3eb85dc80ad2790d634dcb10b58 Patch
    Changed Reference Type https://git.kernel.org/stable/c/2f0acb0736ecc3eb85dc80ad2790d634dcb10b58 No Types Assigned https://git.kernel.org/stable/c/2f0acb0736ecc3eb85dc80ad2790d634dcb10b58 Patch
    Changed Reference Type https://git.kernel.org/stable/c/492032760127251e5540a5716a70996bacf2a3fd No Types Assigned https://git.kernel.org/stable/c/492032760127251e5540a5716a70996bacf2a3fd Patch
    Changed Reference Type https://git.kernel.org/stable/c/492032760127251e5540a5716a70996bacf2a3fd No Types Assigned https://git.kernel.org/stable/c/492032760127251e5540a5716a70996bacf2a3fd Patch
    Changed Reference Type https://git.kernel.org/stable/c/a7fb47b9711101d2405b0eb1276fb1f9b9b270c7 No Types Assigned https://git.kernel.org/stable/c/a7fb47b9711101d2405b0eb1276fb1f9b9b270c7 Patch
    Changed Reference Type https://git.kernel.org/stable/c/a7fb47b9711101d2405b0eb1276fb1f9b9b270c7 No Types Assigned https://git.kernel.org/stable/c/a7fb47b9711101d2405b0eb1276fb1f9b9b270c7 Patch
    Changed Reference Type https://git.kernel.org/stable/c/b44dd92e2afd89eb6e9d27616858e72a67bdc1a7 No Types Assigned https://git.kernel.org/stable/c/b44dd92e2afd89eb6e9d27616858e72a67bdc1a7 Patch
    Changed Reference Type https://git.kernel.org/stable/c/b44dd92e2afd89eb6e9d27616858e72a67bdc1a7 No Types Assigned https://git.kernel.org/stable/c/b44dd92e2afd89eb6e9d27616858e72a67bdc1a7 Patch
    Changed Reference Type https://git.kernel.org/stable/c/c5f6478686bb45f453031594ae19b6c9723a780d No Types Assigned https://git.kernel.org/stable/c/c5f6478686bb45f453031594ae19b6c9723a780d Patch
    Changed Reference Type https://git.kernel.org/stable/c/c5f6478686bb45f453031594ae19b6c9723a780d No Types Assigned https://git.kernel.org/stable/c/c5f6478686bb45f453031594ae19b6c9723a780d Patch
    Changed Reference Type https://git.kernel.org/stable/c/cac50d9f5d876be32cb9aa21c74018468900284d No Types Assigned https://git.kernel.org/stable/c/cac50d9f5d876be32cb9aa21c74018468900284d Patch
    Changed Reference Type https://git.kernel.org/stable/c/cac50d9f5d876be32cb9aa21c74018468900284d No Types Assigned https://git.kernel.org/stable/c/cac50d9f5d876be32cb9aa21c74018468900284d Patch
    Changed Reference Type https://git.kernel.org/stable/c/cd05eec2ee0cc396813a32ef675634e403748255 No Types Assigned https://git.kernel.org/stable/c/cd05eec2ee0cc396813a32ef675634e403748255 Patch
    Changed Reference Type https://git.kernel.org/stable/c/cd05eec2ee0cc396813a32ef675634e403748255 No Types Assigned https://git.kernel.org/stable/c/cd05eec2ee0cc396813a32ef675634e403748255 Patch
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Nov. 21, 2024

    Action Type Old Value New Value
    Added Reference https://git.kernel.org/stable/c/1779eb51b9cc628cee551f252701a85a2a50a457
    Added Reference https://git.kernel.org/stable/c/2f0acb0736ecc3eb85dc80ad2790d634dcb10b58
    Added Reference https://git.kernel.org/stable/c/492032760127251e5540a5716a70996bacf2a3fd
    Added Reference https://git.kernel.org/stable/c/a7fb47b9711101d2405b0eb1276fb1f9b9b270c7
    Added Reference https://git.kernel.org/stable/c/b44dd92e2afd89eb6e9d27616858e72a67bdc1a7
    Added Reference https://git.kernel.org/stable/c/c5f6478686bb45f453031594ae19b6c9723a780d
    Added Reference https://git.kernel.org/stable/c/cac50d9f5d876be32cb9aa21c74018468900284d
    Added Reference https://git.kernel.org/stable/c/cd05eec2ee0cc396813a32ef675634e403748255
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    May. 28, 2024

    Action Type Old Value New Value
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    May. 14, 2024

    Action Type Old Value New Value
  • CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Mar. 02, 2024

    Action Type Old Value New Value
    Added Description In the Linux kernel, the following vulnerability has been resolved: team: fix null-ptr-deref when team device type is changed Get a null-ptr-deref bug as follows with reproducer [1]. BUG: kernel NULL pointer dereference, address: 0000000000000228 ... RIP: 0010:vlan_dev_hard_header+0x35/0x140 [8021q] ... Call Trace: <TASK> ? __die+0x24/0x70 ? page_fault_oops+0x82/0x150 ? exc_page_fault+0x69/0x150 ? asm_exc_page_fault+0x26/0x30 ? vlan_dev_hard_header+0x35/0x140 [8021q] ? vlan_dev_hard_header+0x8e/0x140 [8021q] neigh_connected_output+0xb2/0x100 ip6_finish_output2+0x1cb/0x520 ? nf_hook_slow+0x43/0xc0 ? ip6_mtu+0x46/0x80 ip6_finish_output+0x2a/0xb0 mld_sendpack+0x18f/0x250 mld_ifc_work+0x39/0x160 process_one_work+0x1e6/0x3f0 worker_thread+0x4d/0x2f0 ? __pfx_worker_thread+0x10/0x10 kthread+0xe5/0x120 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 [1] $ teamd -t team0 -d -c '{"runner": {"name": "loadbalance"}}' $ ip link add name t-dummy type dummy $ ip link add link t-dummy name t-dummy.100 type vlan id 100 $ ip link add name t-nlmon type nlmon $ ip link set t-nlmon master team0 $ ip link set t-nlmon nomaster $ ip link set t-dummy up $ ip link set team0 up $ ip link set t-dummy.100 down $ ip link set t-dummy.100 master team0 When enslave a vlan device to team device and team device type is changed from non-ether to ether, header_ops of team device is changed to vlan_header_ops. That is incorrect and will trigger null-ptr-deref for vlan->real_dev in vlan_dev_hard_header() because team device is not a vlan device. Cache eth_header_ops in team_setup(), then assign cached header_ops to header_ops of team net device when its type is changed from non-ether to ether to fix the bug.
    Added Reference Linux https://git.kernel.org/stable/c/1779eb51b9cc628cee551f252701a85a2a50a457 [No types assigned]
    Added Reference Linux https://git.kernel.org/stable/c/a7fb47b9711101d2405b0eb1276fb1f9b9b270c7 [No types assigned]
    Added Reference Linux https://git.kernel.org/stable/c/c5f6478686bb45f453031594ae19b6c9723a780d [No types assigned]
    Added Reference Linux https://git.kernel.org/stable/c/b44dd92e2afd89eb6e9d27616858e72a67bdc1a7 [No types assigned]
    Added Reference Linux https://git.kernel.org/stable/c/cd05eec2ee0cc396813a32ef675634e403748255 [No types assigned]
    Added Reference Linux https://git.kernel.org/stable/c/2f0acb0736ecc3eb85dc80ad2790d634dcb10b58 [No types assigned]
    Added Reference Linux https://git.kernel.org/stable/c/cac50d9f5d876be32cb9aa21c74018468900284d [No types assigned]
    Added Reference Linux https://git.kernel.org/stable/c/492032760127251e5540a5716a70996bacf2a3fd [No types assigned]
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2023-52574 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2023-52574 weaknesses.

CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
:
© cvefeed.io
Latest DB Update: Jul. 14, 2025 10:28