CVE-2023-53566: netfilter: nft_set_rbtree: fix null deref on element insertion
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_set_rbtree: fix null deref on element insertion
There is no guarantee that rb_prev() will not return NULL in nft_rbtree_gc_elem():
general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
nft_add_set_elem+0x14b0/0x2990
nf_tables_newsetelem+0x528/0xb30
Furthermore, there is a possible use-after-free while iterating,
'node' can be free'd so we need to cache the next value to use.
Security readout for executives and security teams
Plain-English summary
CVE-2023-53566 is a Linux kernel netfilter flaw in the nftables rbtree set code. The bug can cause a null pointer dereference and possible use-after-free during set element insertion. Business impact is most likely system instability or denial of service, but the supplied sources do not provide CVSS, exploitation status, or privilege requirements.
Executive priority
Track and patch through normal kernel maintenance unless vendor guidance raises severity. Escalate priority for shared infrastructure, security gateways, or hosts where untrusted users can influence nftables behavior. Current evidence is insufficient for emergency response.
Technical view
The resolved kernel issue is in nft_set_rbtree, specifically nft_rbtree_gc_elem() during nft_add_set_elem()/nf_tables_newsetelem() paths. rb_prev() may return NULL, and iteration could continue after freeing node. The fix family is published across Linux stable commits. The source bundle does not establish remote reachability, exploitability beyond crash/UAF risk, or affected distribution packages.
Likely exposure
Exposure is likely limited to Linux systems running affected kernel versions with nftables/netfilter rbtree set functionality reachable. The bundle names Linux as affected and includes version markers, but does not provide distribution advisories, package names, default configuration, or privilege requirements.
Exploitation context
No active exploitation is supported by the supplied evidence. KEV is false, and the bundle contains no public exploit, attack chain, or in-the-wild report. Treat this as a kernel memory-safety stability risk until vendor advisories clarify impact for your deployed distributions.
Researcher notes
Key evidence is the kernel resolution text: NULL from rb_prev() in nft_rbtree_gc_elem() and possible use-after-free while iterating after node free. Research should focus on trigger preconditions, namespace/capability requirements, and distribution backport status. Do not assume exploitation beyond the documented crash/UAF condition.
Mitigation direction
Check your Linux vendor advisory for CVE-2023-53566 package applicability.
Update affected kernels to vendor-provided fixed builds when available.
Prioritize internet-facing or multi-tenant Linux systems using nftables.
Avoid treating upstream commit hashes as distribution package guidance.
Monitor kernel and distribution advisories for severity and exploitability updates.
Validation and detection
Inventory Linux kernel versions across servers, appliances, and containers hosts.
Identify systems using nftables or netfilter rule sets with rbtree sets.
Map deployed kernels to vendor advisories for CVE-2023-53566.
Confirm whether fixed stable commits are included in installed packages.
Record exceptions where distribution backports fix without changing version strings.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2023-53566 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
8Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Oct 4, 2025, 15:17 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.