CVE-2023-52698: calipso: fix memory leak in netlbl_calipso_add_pass()
In the Linux kernel, the following vulnerability has been resolved:
calipso: fix memory leak in netlbl_calipso_add_pass()
If IPv6 support is disabled at boot (ipv6.disable=1),
the calipso_init() -> netlbl_calipso_ops_register() function isn't called,
and the netlbl_calipso_ops_get() function always returns NULL.
In this case, the netlbl_calipso_add_pass() function allocates memory
for the doi_def variable but doesn't free it with the calipso_doi_free().
BUG: memory leak
unreferenced object 0xffff888011d68180 (size 64):
comm "syz-executor.1", pid 10746, jiffies 4295410986 (age 17.928s)
hex dump (first 32 bytes):
00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<...>] kmalloc include/linux/slab.h:552 [inline]
[<...>] netlbl_calipso_add_pass net/netlabel/netlabel_calipso.c:76 [inline]
[<...>] netlbl_calipso_add+0x22e/0x4f0 net/netlabel/netlabel_calipso.c:111
[<...>] genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739
[<...>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
[<...>] genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800
[<...>] netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2515
[<...>] genl_rcv+0x29/0x40 net/netlink/genetlink.c:811
[<...>] netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]
[<...>] netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1339
[<...>] netlink_sendmsg+0x90a/0xdf0 net/netlink/af_netlink.c:1934
[<...>] sock_sendmsg_nosec net/socket.c:651 [inline]
[<...>] sock_sendmsg+0x157/0x190 net/socket.c:671
[<...>] ____sys_sendmsg+0x712/0x870 net/socket.c:2342
[<...>] ___sys_sendmsg+0xf8/0x170 net/socket.c:2396
[<...>] __sys_sendmsg+0xea/0x1b0 net/socket.c:2429
[<...>] do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46
[<...>] entry_SYSCALL_64_after_hwframe+0x61/0xc6
Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with Syzkaller
[PM: merged via the LSM tree at Jakub Kicinski request]
Security readout for executives and security teams
Plain-English summary
CVE-2023-52698 is a Linux kernel memory leak in CALIPSO NetLabel handling. It occurs when IPv6 is disabled at boot and a CALIPSO add path allocates memory without freeing it. The known impact is resource leakage, not code execution. Business urgency depends on whether affected kernels run with IPv6 disabled and NetLabel/CALIPSO functionality reachable.
Executive priority
Schedule remediation through the normal kernel patch cycle, faster for hosts with IPv6 disabled or strict availability requirements. Current evidence supports availability risk from memory leakage, with no confirmed active exploitation in the provided sources.
Technical view
The flaw is in netlbl_calipso_add_pass(). With ipv6.disable=1, calipso_init() does not register CALIPSO ops, so netlbl_calipso_ops_get() returns NULL. The function allocates doi_def and misses calipso_doi_free() on that path. Syzkaller reported an unreferenced 64-byte object through generic netlink handling. Stable kernel fixes are referenced by upstream commit URLs.
Likely exposure
Exposure is most plausible on Linux systems running affected kernel versions where IPv6 is disabled at boot. The source bundle does not establish required privileges, distribution-specific package states, or whether typical default configurations expose the vulnerable path.
Exploitation context
The CVE source says it was found with Syzkaller and KEV status is false. No cited source in the bundle reports active exploitation or public weaponization. Treat exploitation evidence as absent, not disproven.
Researcher notes
The key branch is the missing cleanup when CALIPSO ops are unavailable because IPv6 initialization was skipped. The bundle does not provide CVSS, privilege requirements, or distro package mappings. Validate by source review, fixed commit presence, and configuration inventory rather than assuming broad exposure.
Mitigation direction
Update to a kernel containing the referenced upstream stable fixes.
Check distribution advisories for the exact fixed package version.
Prioritize systems booted with ipv6.disable=1 until exposure is clarified.
Avoid direct wrangler or unrelated deployment assumptions; follow normal kernel patching process.
Validation and detection
Inventory Linux kernel versions against the CVE affected-version data.
Check boot parameters for ipv6.disable=1 on Linux hosts.
Confirm installed kernel includes one of the referenced stable fixes.
Review vendor advisories for Debian or other distributions in use.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2023-52698 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.