CVE-2023-32233

HIGH EXPLOITED

Linux Kernel 3.13-6.3.1 - Use-After-Free in Netfilter nf_tables via Anonymous Set Mishandling

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2023-32233 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 9 public exploits from researchers including Liuk3r, oferchen, PIDAN-HEIDASHUAI.

AI-analyzed exploit summary This is a functional exploit PoC for CVE-2023-32233, targeting a race condition in the Linux kernel's nf_tables module. The exploit leverages a use-after-free vulnerability to achieve local privilege escalation (LPE) by manipulating kernel memory structures.

Description

In the Linux kernel through 6.3.1, a use-after-free in Netfilter nf_tables when processing batch requests can be abused to perform arbitrary read and write operations on kernel memory. Unprivileged local users can obtain root privileges. This occurs because anonymous sets are mishandled.

Exploits (9)

nomisec WORKING POC 370 stars
by Liuk3r · local
https://github.com/Liuk3r/CVE-2023-32233

This is a functional exploit PoC for CVE-2023-32233, targeting a race condition in the Linux kernel's nf_tables module. The exploit leverages a use-after-free vulnerability to achieve local privilege escalation (LPE) by manipulating kernel memory structures.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel (specifically tested on Ubuntu 23.04 with kernel 6.2.0-20-generic)
No auth needed
Prerequisites: Linux kernel with nf_tables module loaded · Specific kernel version (6.2.0-20-generic or similar) · Build dependencies (gcc, libmnl-dev, libnftnl-dev)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 49 stars
by oferchen · local
https://github.com/oferchen/POC-CVE-2023-32233

This PoC demonstrates a use-after-free vulnerability in the Linux kernel's Netfilter nf_tables component (CVE-2023-32233). The exploit leverages a race condition in batch request processing to achieve arbitrary memory corruption and potential privilege escalation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel (Netfilter nf_tables)
No auth needed
Prerequisites: Linux kernel with vulnerable nf_tables implementation · Ability to send Netfilter batch requests
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 3 stars
by PIDAN-HEIDASHUAI · local
https://github.com/PIDAN-HEIDASHUAI/CVE-2023-32233

This repository contains a proof-of-concept exploit for CVE-2023-32233, targeting a race condition in the Linux kernel's nf_tables module. The exploit requires specific kernel symbols and tuning for different microprocessors to achieve reliable exploitation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel (nf_tables module), specifically tested on Ubuntu 23.04 with kernel 6.2.0-20-generic
No auth needed
Prerequisites: Linux kernel with vulnerable nf_tables module · Specific kernel symbols and offsets · Tuning for microprocessor architecture
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP 1 stars
by NiranjMahaswar · poc
https://github.com/NiranjMahaswar/gemini-2.5-pro-nf-tables-red-teaming

This repository documents a comparative LLM red teaming experiment on CVE-2023-32233, focusing on model behavior and safety alignment rather than providing exploit code or technical details of the vulnerability.

Classification
Writeup 100%
Attack Type
Other
Complexity
N/a
Reliability
N/a
Target: Linux kernel (nf_tables)
No auth needed
devstral-2 · analyzed Jun 05, 2026 Full analysis →
nomisec WORKING POC 1 stars
by void0red · local
https://github.com/void0red/CVE-2023-32233

This repository contains a working exploit for CVE-2023-32233, targeting Linux kernel versions <5.16. The exploit leverages a use-after-free (UAF) vulnerability in the nftables subsystem to achieve local privilege escalation (LPE) by spraying `nft_rule` structures and hijacking control flow via ROP.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel <5.16
No auth needed
Prerequisites: Linux kernel <5.16 · nftables support · unprivileged user access
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by NiranjMahaswar · poc
https://github.com/NiranjMahaswar/gemini-2.5-pro-nf-tables-red-teamin

This repository is a technical case study documenting Google Gemini 2.5 Pro's safety alignment policies and guardrails related to CVE-2023-32233, focusing on the evolution of refusal behavior for legacy Linux kernel vulnerability primitives. It does not contain exploit code but provides a detailed analysis and timeline dataset.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Google Gemini 2.5 Pro
No auth needed
Prerequisites: access to the case study website
devstral-2 · analyzed Jun 05, 2026 Full analysis →
nomisec WRITEUP
by Destawell · poc
https://github.com/Destawell/gemini-2.5-pro-nf-tables-red-teamin

This repository is a technical case study documenting Google Gemini 2.5 Pro's safety alignment policies and guardrails related to CVE-2023-32233, focusing on refusal behavior evolution rather than providing exploit code.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Google Gemini 2.5 Pro
No auth needed
Prerequisites: access to Google Gemini 2.5 Pro
devstral-2 · analyzed May 22, 2026 Full analysis →
nomisec WRITEUP
by Destawell · poc
https://github.com/Destawell/gemini-2.5-pro-nf-tables-red-teaming

This repository documents a comparative LLM red teaming experiment on CVE-2023-32233 (nf_tables race condition / Use-After-Free), focusing on model behavior and safety alignment rather than providing exploit code.

Classification
Writeup 100%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Linux kernel (nf_tables)
No auth needed
Prerequisites: N/A
devstral-2 · analyzed May 21, 2026 Full analysis →
nomisec WORKING POC
by RogelioPumajulca · local
https://github.com/RogelioPumajulca/TEST-CVE-2023-32233

This repository contains a proof-of-concept exploit for CVE-2023-32233, a use-after-free vulnerability in the Linux kernel's Netfilter nf_tables component. The exploit leverages a race condition to achieve arbitrary memory manipulation, leading to potential privilege escalation or remote code execution.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel (specific versions affected by CVE-2023-32233)
No auth needed
Prerequisites: Access to a vulnerable Linux kernel with Netfilter nf_tables enabled · Ability to send crafted batch requests to the nf_tables subsystem
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (11)

Core 11
Core References
Issue Tracking, Mitigation, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2196105
Mailing List, Patch, Third Party Advisory
https://www.openwall.com/lists/oss-security/2023/05/08/4
Mailing List, Third Party Advisory vendor-advisory
https://www.debian.org/security/2023/dsa-5402
Mailing List, Third Party Advisory mailing-list
http://www.openwall.com/lists/oss-security/2023/05/15/5
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2023/07/msg00030.html

Scores

CVSS v3 7.8
EPSS 0.1195
EPSS Percentile 95.6%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

VulnCheck KEV 2024-12-06
CWE
CWE-416
Status published
Products (9)
linux/linux_kernel 3.13 - 4.14.315
netapp/hci_baseboard_management_controller h300s
netapp/hci_baseboard_management_controller h410c
netapp/hci_baseboard_management_controller h410s
netapp/hci_baseboard_management_controller h500s
netapp/hci_baseboard_management_controller h700s
redhat/enterprise_linux 7.0
redhat/enterprise_linux 8.0
redhat/enterprise_linux 9.0
Published May 08, 2023
Tracked Since Feb 18, 2026