LiveActive security incident?Get immediate response
CVE Record

CVE-2023-52927: netfilter: allow exp not to be removed in nf_ct_find_expectation

In the Linux kernel, the following vulnerability has been resolved: netfilter: allow exp not to be removed in nf_ct_find_expectation Currently nf_conntrack_in() calling nf_ct_find_expectation() will remove the exp from the hash table. However, in some scenario, we expect the exp not to be removed when the created ct will not be confirmed, like in OVS and TC conntrack in the following patches. This patch allows exp not to be removed by setting IPS_CONFIRMED in the status of the tmpl.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

A Linux kernel netfilter connection-tracking flaw was fixed. In some OVS and TC conntrack scenarios, an expectation could be removed even when the new connection would not be confirmed, causing incorrect state handling. Business urgency depends on affected kernel use and enabled networking features. The supplied sources do not show active exploitation.

Executive priority

Track and remediate through normal kernel patch management, escalating for network infrastructure, virtualization hosts, and Linux-based appliances using OVS or TC conntrack. Current urgency is constrained by missing CVSS, unclear impact, and no supplied evidence of exploitation.

Technical view

nf_conntrack_in() calling nf_ct_find_expectation() removed an expectation from the hash table. The fix allows the expectation to remain by setting IPS_CONFIRMED in the template status when the created conntrack entry will not be confirmed. The source bundle flags Linux kernel versions including 5.18 through 6.6, but version evidence is limited.

Likely exposure

Exposure is most relevant to Linux systems using netfilter conntrack expectations, especially Open vSwitch or TC conntrack paths. Embedded products may be exposed if they include affected Linux kernels, as suggested by Siemens references. Confirm exact kernel package status with the operating system or device vendor.

Exploitation context

CVE data marks KEV as false, and the supplied sources do not provide evidence of active exploitation, public weaponization, or a complete exploit path. Treat this as a kernel networking correctness and potential security issue until vendor advisories clarify impact.

Researcher notes

The CVE description is narrowly tied to netfilter expectation lifecycle behavior. The affected-version data is sparse and partly ambiguous. Analysis should focus on the stable commits, downstream vendor backports, and whether a dropped expectation can produce security-relevant bypass, denial, or state confusion in reachable deployments.

Mitigation direction

  • Check Linux distribution or device vendor advisories for patched kernel packages.
  • Prioritize updates on systems using OVS, TC conntrack, or advanced netfilter features.
  • Review Debian LTS and Siemens advisories if those environments are in scope.
  • If no patch is available, ask the vendor for supported mitigation guidance.

Validation and detection

  • Inventory Linux kernel versions on servers, appliances, and container hosts.
  • Identify hosts using netfilter conntrack expectations, OVS, or TC conntrack.
  • Map installed kernels against vendor advisories and stable commit references.
  • Verify patched packages or kernels are deployed after maintenance.
  • Monitor vendor advisories for severity, affected-version, and mitigation updates.
Prepared
Confidence
medium
Sources
8

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2023-52927 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
2ADP providers
7Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
siemens-SADPADP container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux1bc91a5ddf3eaea0e0ea957cccf3abdcfcace00e, 1bc91a5ddf3eaea0e0ea957cccf3abdcfcace00eunaffected
LinuxLinux5.18, 0, 6.1.130, 6.6affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.