CVE-2023-3966: 
NixOS vulnerability analysis and mitigation

A vulnerability was discovered in Open vSwitch (CVE-2023-3966) where multiple versions are vulnerable to crafted Geneve packets, which may result in a denial of service and invalid memory accesses. The vulnerability requires hardware offloading via the netlink path to be enabled to be exploitable (NVD, Debian).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The flaw is classified as CWE-248 (Uncaught Exception). The vulnerability was introduced in Open vSwitch version 2.11.0 through commit a468645c6d330943dbe0c8d466e05b9af2d7df0c (Debian).

When exploited, this vulnerability can lead to denial of service conditions and invalid memory accesses in affected Open vSwitch installations. The impact is specifically tied to environments where hardware offloading via the netlink path is enabled (NVD).

The primary mitigation is to disable flow hardware offload if enabled via the setting other_config:hw-offload=false and reboot the system. Multiple versions have been patched including version 3.2.2, 3.1.4, 3.0.6, and 2.17.9. Fixed versions are available for various distributions including Ubuntu, Debian, and Fedora (Ubuntu, Debian).