CVE-2023-7192: 
Linux Kernel vulnerability analysis and mitigation

A memory leak problem was found in ctnetlink_create_conntrack in net/netfilter/nf_conntrack_netlink.c in the Linux Kernel. This issue was discovered in January 2024 and affects Linux Kernel versions up to (excluding) 6.3. The vulnerability allows a local attacker with CAP_NET_ADMIN privileges to cause a denial of service (DoS) attack due to a refcount overflow (NVD, Ubuntu).

The vulnerability exists in the ctnetlink_create_conntrack function where nf_ct_put() needs to be called to put the refcount obtained by nf_conntrack_find_get() to avoid refcount leak when nf_conntrack_hash_check_insert() fails. The issue has a CVSS v3.1 base score of 4.4 (MEDIUM) with vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H (NVD, Kernel Commit).

The vulnerability can be exploited by a local attacker with CAP_NET_ADMIN privileges to cause a denial of service condition through memory exhaustion due to refcount overflow (NVD, Ubuntu).

If not needed, disable the ability for unprivileged users to create namespaces. This can be done temporarily with 'sudo sysctl -w kernel.unprivileged_userns_clone=0' or permanently by adding 'kernel.unprivileged_userns_clone=0' to /etc/sysctl.d/99-disable-unpriv-userns.conf. The vulnerability has been fixed in Linux Kernel 6.3-rc1 (Ubuntu).