CVE-2023-6817: 
Linux Kernel vulnerability analysis and mitigation

A use-after-free vulnerability was discovered in the Linux kernel's netfilter: nf_tables component, specifically in the PIPAPO (Pile Packet Policies) implementation. The vulnerability was identified in December 2023 and tracked as CVE-2023-6817. The issue affects Linux kernel versions from 5.6 up to versions before 5.10.204, 5.15.143, 6.1.68, and 6.6.7. The vulnerability stems from the nft_pipapo_walk function not properly skipping inactive elements during set walk operations (OSS Security, NVD).

The vulnerability occurs in the netfilter's nf_tables component when the nft_pipapo_walk function processes set elements. When calling NFT_MSG_DELSETELEM command without a specified set element, all elements in the target set are deleted. During this process, nft_set_flush() calls set->ops->walk(), but the function does not check the activeness of elements before operating on them. This oversight can lead to double deactivations of PIPAPO elements, resulting in a use-after-free condition. The issue has been assigned a CVSS v3.1 base score of 7.8 (High) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (OSS Security, NVD).

The vulnerability can be exploited to achieve local privilege escalation or cause a denial of service. The exploitation requires the attacker to have CAP_NET_ADMIN capability in any user or network namespace. When successfully exploited, it can lead to system crashes or potential arbitrary code execution with elevated privileges (Debian LTS, NVD).

The vulnerability has been fixed in Linux kernel version 6.7-rc5 with commit 317eb9685095678f2c9f5a8189de698c5354316a. The fix has been backported to stable kernel versions 5.10.204, 5.15.143, 6.1.68, and 6.6.7. Users are recommended to upgrade their kernel to these versions or later. For systems that cannot be immediately updated, limiting access to the CAP_NET_ADMIN capability can help mitigate the risk (Kernel Patch, OSS Security).