CVE-2023-5178

HIGH

Linux Kernel 5.0-5.4.260 - Use-After-Free in NVMe/TCP Subsystem

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-5178. PoCs published by rockrid3r.

AI-analyzed exploit summary This repository contains a working exploit for CVE-2023-5178, a logic error in the NVMe-oF-TCP driver leading to a racy double-free in kmalloc-96, which can be exploited for local privilege escalation (LPE). The exploit targets Ubuntu 23.10 with kernel 6.5.0-9-generic and includes a PoC to trigger the bug and a full exploit to achieve LPE.

Description

A use-after-free vulnerability was found in drivers/nvme/target/tcp.c` in `nvmet_tcp_free_crypto` due to a logical bug in the NVMe/TCP subsystem in the Linux kernel. This issue may allow a malicious user to cause a use-after-free and double-free problem, which may permit remote code execution or lead to local privilege escalation.

Exploits (1)

nomisec WORKING POC 7 stars

by rockrid3r · poc

https://github.com/rockrid3r/CVE-2023-5178

View Code ZIP pw:eip

This repository contains a working exploit for CVE-2023-5178, a logic error in the NVMe-oF-TCP driver leading to a racy double-free in kmalloc-96, which can be exploited for local privilege escalation (LPE). The exploit targets Ubuntu 23.10 with kernel 6.5.0-9-generic and includes a PoC to trigger the bug and a full exploit to achieve LPE.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Linux Kernel NVMe-oF-TCP driver (versions up to 6.5.0-9-generic)

No auth needed

Prerequisites: nvmet and nvmet-tcp kernel modules loaded · libfuse3-dev installed · single CPU core for reliable exploitation

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1211 - Exploitation for Defense Evasion

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (26)

Core 26

Core References

Mailing List, Patch, Vendor Advisory

https://lore.kernel.org/linux-nvme/[email protected]/

Mailing List

https://lists.debian.org/debian-lts-announce/2024/01/msg00005.html

Vendor Advisory

https://security.netapp.com/advisory/ntap-20231208-0004/

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2023:7370

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2023:7379

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2023:7418

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2023:7548

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2023:7549

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2023:7551

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2023:7554

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2023:7557

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2023:7559

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2024:0340

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2024:0378

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2024:0386

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2024:0412

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2024:0431

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2024:0432

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2024:0461

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2024:0554

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2024:0575

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2024:1268

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2024:1269

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2024:1278

Third Party Advisory vdb-entry x_refsource_redhat

https://access.redhat.com/security/cve/CVE-2023-5178

Issue Tracking, Third Party Advisory issue-tracking x_refsource_redhat

https://bugzilla.redhat.com/show_bug.cgi?id=2241924

Scores

CVSS v3 8.8

EPSS 0.0914

EPSS Percentile 94.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-416

Status published

Products (34)

linux/linux_kernel 5.0 - 5.4.260

netapp/active_iq_unified_manager

netapp/solidfire_\&_hci_management_node

netapp/solidfire_\&_hci_storage_node

Red Hat/Red Hat Enterprise Linux 6

Red Hat/Red Hat Enterprise Linux 7

Red Hat/Red Hat Enterprise Linux 8

Red Hat/Red Hat Enterprise Linux 8 0:4.18.0-513.9.1.el8_9

Red Hat/Red Hat Enterprise Linux 8 0:4.18.0-513.9.1.rt7.311.el8_9

Red Hat/Red Hat Enterprise Linux 8.2 Advanced Update Support 0:4.18.0-193.128.1.el8_2

... and 24 more

Published Nov 01, 2023

Tracked Since Feb 18, 2026