LiveActive security incident?Get immediate response
CVE Record

CVE-2023-52698: calipso: fix memory leak in netlbl_calipso_add_pass()

In the Linux kernel, the following vulnerability has been resolved: calipso: fix memory leak in netlbl_calipso_add_pass() If IPv6 support is disabled at boot (ipv6.disable=1), the calipso_init() -> netlbl_calipso_ops_register() function isn't called, and the netlbl_calipso_ops_get() function always returns NULL. In this case, the netlbl_calipso_add_pass() function allocates memory for the doi_def variable but doesn't free it with the calipso_doi_free(). BUG: memory leak unreferenced object 0xffff888011d68180 (size 64): comm "syz-executor.1", pid 10746, jiffies 4295410986 (age 17.928s) hex dump (first 32 bytes): 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<...>] kmalloc include/linux/slab.h:552 [inline] [<...>] netlbl_calipso_add_pass net/netlabel/netlabel_calipso.c:76 [inline] [<...>] netlbl_calipso_add+0x22e/0x4f0 net/netlabel/netlabel_calipso.c:111 [<...>] genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739 [<...>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] [<...>] genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800 [<...>] netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2515 [<...>] genl_rcv+0x29/0x40 net/netlink/genetlink.c:811 [<...>] netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] [<...>] netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1339 [<...>] netlink_sendmsg+0x90a/0xdf0 net/netlink/af_netlink.c:1934 [<...>] sock_sendmsg_nosec net/socket.c:651 [inline] [<...>] sock_sendmsg+0x157/0x190 net/socket.c:671 [<...>] ____sys_sendmsg+0x712/0x870 net/socket.c:2342 [<...>] ___sys_sendmsg+0xf8/0x170 net/socket.c:2396 [<...>] __sys_sendmsg+0xea/0x1b0 net/socket.c:2429 [<...>] do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 [<...>] entry_SYSCALL_64_after_hwframe+0x61/0xc6 Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with Syzkaller [PM: merged via the LSM tree at Jakub Kicinski request]

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2023-52698 is a Linux kernel memory leak in CALIPSO NetLabel handling. It occurs when IPv6 is disabled at boot and a CALIPSO add path allocates memory without freeing it. The known impact is resource leakage, not code execution. Business urgency depends on whether affected kernels run with IPv6 disabled and NetLabel/CALIPSO functionality reachable.

Executive priority

Schedule remediation through the normal kernel patch cycle, faster for hosts with IPv6 disabled or strict availability requirements. Current evidence supports availability risk from memory leakage, with no confirmed active exploitation in the provided sources.

Technical view

The flaw is in netlbl_calipso_add_pass(). With ipv6.disable=1, calipso_init() does not register CALIPSO ops, so netlbl_calipso_ops_get() returns NULL. The function allocates doi_def and misses calipso_doi_free() on that path. Syzkaller reported an unreferenced 64-byte object through generic netlink handling. Stable kernel fixes are referenced by upstream commit URLs.

Likely exposure

Exposure is most plausible on Linux systems running affected kernel versions where IPv6 is disabled at boot. The source bundle does not establish required privileges, distribution-specific package states, or whether typical default configurations expose the vulnerable path.

Exploitation context

The CVE source says it was found with Syzkaller and KEV status is false. No cited source in the bundle reports active exploitation or public weaponization. Treat exploitation evidence as absent, not disproven.

Researcher notes

The key branch is the missing cleanup when CALIPSO ops are unavailable because IPv6 initialization was skipped. The bundle does not provide CVSS, privilege requirements, or distro package mappings. Validate by source review, fixed commit presence, and configuration inventory rather than assuming broad exposure.

Mitigation direction

  • Update to a kernel containing the referenced upstream stable fixes.
  • Check distribution advisories for the exact fixed package version.
  • Prioritize systems booted with ipv6.disable=1 until exposure is clarified.
  • Avoid direct wrangler or unrelated deployment assumptions; follow normal kernel patching process.

Validation and detection

  • Inventory Linux kernel versions against the CVE affected-version data.
  • Check boot parameters for ipv6.disable=1 on Linux hosts.
  • Confirm installed kernel includes one of the referenced stable fixes.
  • Review vendor advisories for Debian or other distributions in use.
Prepared
Confidence
medium
Sources
12

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2023-52698 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
2ADP providers
11Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
CVECVE Program Container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxcb72d38211eacda2dd90b09540542b6582da614e, cb72d38211eacda2dd90b09540542b6582da614e, cb72d38211eacda2dd90b09540542b6582da614e, cb72d38211eacda2dd90b09540542b6582da614e, cb72d38211eacda2dd90b09540542b6582da614e, cb72d38211eacda2dd90b09540542b6582da614e, cb72d38211eacda2dd90b09540542b6582da614e, cb72d38211eacda2dd90b09540542b6582da614eunaffected
LinuxLinux4.8, 0, 4.19.306, 5.4.268, 5.10.209, 5.15.148, 6.1.75, 6.6.14, 6.7.2, 6.8affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.