CVE-2023-23454 in Linux
Summary
by MITRE • 01/12/2023
cbq_classify in net/sched/sch_cbq.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service (slab-out-of-bounds read) because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results).
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 10/07/2025
The vulnerability identified as CVE-2023-23454 resides within the Linux kernel's traffic control subsystem, specifically in the cbq_classify function located in net/sched/sch_cbq.c. This flaw represents a critical type confusion issue that can be exploited to trigger a slab-out-of-bounds read condition, fundamentally compromising system stability and availability. The vulnerability affects Linux kernel versions through 6.1.4, making it a widespread concern across multiple kernel releases that have been in production use for extended periods.
The technical root cause of this vulnerability stems from improper handling of classification results within the Class-Based Queueing (CBQ) traffic control implementation. The cbq_classify function processes network packets and determines their classification within the queuing system, but it fails to properly validate the return values from underlying operations. Specifically, the implementation treats non-negative numbers as valid classification results when they may actually represent a TC_ACT_SHOT condition, which indicates packet rejection rather than legitimate classification data. This type confusion creates a scenario where attacker-controlled data can be interpreted as valid classification information, leading to memory access violations.
The operational impact of this vulnerability manifests as a denial of service condition that can be triggered remotely or locally by an attacker who can manipulate traffic control parameters or send specially crafted network packets. When the kernel processes these malformed classification results, it attempts to read from memory locations outside the intended slab allocation boundaries, causing kernel panics, system crashes, or unpredictable behavior. This type of out-of-bounds read can be particularly dangerous in network-facing systems where traffic control policies are actively used, as it provides an easy path to system instability and potential service disruption.
From a cybersecurity perspective, this vulnerability aligns with CWE-129, which describes improper validation of array indices, and represents a classic case of type confusion in kernel space operations. The ATT&CK framework categorizes this under T1499.004, specifically targeting the availability of systems through resource exhaustion or kernel-level disruptions. The vulnerability's exploitability is enhanced by the fact that it requires minimal privileges to trigger, as it operates within the kernel's traffic control subsystem that is typically accessible through standard network management interfaces. Organizations should prioritize patching this vulnerability as it provides attackers with a reliable method for causing system-wide denial of service conditions without requiring elevated privileges.
Mitigation strategies include immediate kernel updates to versions that contain the patched cbq_classify implementation, which properly validates classification result types and prevents the type confusion scenario. System administrators should also consider implementing network traffic filtering rules that limit exposure to potentially malicious traffic control parameter modifications. Additionally, monitoring for unusual traffic control subsystem behavior and implementing proper access controls for traffic management interfaces can help detect and prevent exploitation attempts. The vulnerability demonstrates the critical importance of proper input validation in kernel space code and highlights the need for comprehensive testing of traffic control and queuing subsystems under various operational conditions to prevent similar issues in the future.