CVE-2023-1281: 
Linux Kernel vulnerability analysis and mitigation

A Use After Free vulnerability was discovered in the Linux kernel traffic control index filter (tcindex) affecting versions from 4.14 before git commit ee059170b1f7e94e55fa6cadee544e176a6e59c2. The vulnerability was discovered and disclosed in March 2023, identified as CVE-2023-1281. The imperfect hash area can be updated while packets are traversing, which causes a use-after-free condition when 'tcfextsexec()' is called with the destroyed tcf_ext (Ubuntu Security, NVD).

The vulnerability exists in the tcindex classifier's handling of extensions in its .change function (tcindexchange). Unlike most classifiers that use tcfqueuework() with queuercuwork() to ensure proper RCU grace period before deletion, tcindex directly destroys old extensions using tcfextschange(). This leads to a race condition where tcfextsdestroy() can be called while another thread is inside tcfactionexec, resulting in use-after-free on exts->actions array or individual tcaction objects (Openwall).

The vulnerability allows a local attacker with CAPNETADMIN capabilities to elevate their privileges to root. The imperfect hash area can be updated while packets are traversing, leading to potential system compromise through privilege escalation (Debian Security, NetApp Security).

The vulnerability was fixed in Linux kernel commit ee059170b1f7e94e55fa6cadee544e176a6e59c2 titled 'net/sched: tcindex: update imperfect hash filters respecting rcu'. Due to the high number of issues in the code and lack of known users, kernel maintainers decided to remove the entire tcindex classifier. This change was committed and backported to all stable kernels (Kernel Commit).