CVE-2023-5972: 
CBL Mariner vulnerability analysis and mitigation

CVE-2023-5972 is a null pointer dereference vulnerability discovered in the nft_inner.c functionality of netfilter in the Linux kernel. The vulnerability was reported on November 6, 2023, and affects Linux kernel versions from 6.2-rc1 up to 6.6-rc6. This security flaw could allow a local user to crash the system or potentially escalate their privileges (NVD, RedHat).

The vulnerability stems from two similar flaws in nftables where netlink attributes are accessed without proper presence verification. The first vulnerability occurs in nftinnerinit() where the NFTAINNERNUM netlink attribute is accessed without checking its presence. The second vulnerability exists in nftexprinnerparse(), where the NFTAEXPRNAME netlink attribute is similarly accessed without verification. Both issues can lead to null pointer dereference errors. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability can allow a local attacker to cause a denial of service condition by crashing the system or potentially escalate their privileges on the affected system. This affects the system's stability and security, particularly in environments where local access is available to untrusted users (Ubuntu).

The vulnerability has been fixed in Linux kernel version 6.6-rc7 through two commits. The first commit (505ce0630ad5) addresses the NFTAEXPRNAME attribute verification in nftexprinnerparse(), while the second commit (52177bbf19e6) fixes the NFTAINNERNUM attribute verification in nftinner_init(). Users are advised to update their Linux kernel to a patched version (GitHub Commit 1, GitHub Commit 2).