PatchSiren

PatchSiren cyber security CVE debrief

CVE-2023-6817 Linux CVE debrief

CVE-2023-6817 is a Linux kernel netfilter:nf_tables use-after-free issue that can be used for local privilege escalation. The flaw is tied to nft_pipapo_walk failing to skip inactive elements during set walking, which can lead to double deactivation of PIPAPO elements and then use-after-free. NVD lists affected Linux kernel version ranges across multiple release lines, and the upstream fix is identified by commit 317eb9685095678f2c9f5a8189de698c5354316a. This is a high-priority kernel security issue because it affects core OS code and the impact includes confidentiality, integrity, and availability loss on vulnerable systems.

Vendor
Linux
Product
CVE-2023-6817
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2023-12-18
Original CVE updated
2026-05-12
Advisory published
2023-12-18
Advisory updated
2026-05-12

Who should care

Linux kernel maintainers, distribution security teams, infrastructure operators, and anyone running affected Linux kernel versions should care. Systems that permit local code execution by less-trusted users deserve particular attention because the issue can lead to local privilege escalation.

Technical summary

NVD classifies the weakness as CWE-416 (use-after-free) with CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerable behavior occurs in nft_pipapo_walk within nf_tables, where inactive elements were not skipped during set traversal. That omission could cause PIPAPO elements to be deactivated twice, creating a use-after-free condition. NVD’s affected-version criteria include Linux kernel versions starting at 5.6 before 5.10.204, 5.11 before 5.15.143, 5.16 before 6.1.68, 6.2 before 6.6.7, and 6.7 release candidates rc1 through rc4. The upstream fix is associated with commit 317eb9685095678f2c9f5a8189de698c5354316a.

Defensive priority

High. The vulnerability is locally exploitable and can result in privilege escalation on affected kernels, so patching vulnerable hosts should be treated as urgent.

Recommended defensive actions

  • Upgrade Linux kernels to versions that include upstream commit 317eb9685095678f2c9f5a8189de698c5354316a or vendor backports of that fix.
  • Inventory running kernels and compare them against the affected ranges listed by NVD, including the 5.6, 5.11, 5.16, 6.2, and 6.7-rc lines.
  • Prioritize systems where local users, containers, or other untrusted code can run, since the issue is locally exploitable.
  • Apply distribution or vendor advisories referenced in the source corpus, such as Debian LTS and Siemens product security notices, where applicable to your environment.
  • Verify patch deployment across fleets after updates, especially for long-lived servers and appliances that may not track upstream kernel releases quickly.

Evidence notes

All claims above are grounded in the supplied CVE record and NVD metadata. The description explicitly states a use-after-free in nf_tables via nft_pipapo_walk and notes local privilege escalation. NVD provides the CVSS vector, CWE-416 classification, affected version criteria, and the upstream fix commit reference. Additional source links in the record point to the upstream kernel commit, mailing list posts, Debian LTS notice, and Siemens product security advisories.

Official resources

Publicly disclosed in the CVE record on 2023-12-18. This debrief uses the CVE published date for disclosure timing and does not use later modification dates as the issue date.