CVE-2023-52925 in Linux
Summary
by MITRE • 02/05/2025
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: don't fail inserts if duplicate has expired
nftables selftests fail: run-tests.sh testcases/sets/0044interval_overlap_0 Expected: 0-2 . 0-3, got: W: [FAILED] ./testcases/sets/0044interval_overlap_0: got 1
Insertion must ignore duplicate but expired entries.
Moreover, there is a strange asymmetry in nft_pipapo_activate:
It refetches the current element, whereas the other ->activate callbacks (bitmap, hash, rhash, rbtree) use elem->priv. Same for .remove: other set implementations take elem->priv, nft_pipapo_remove fetches elem->priv, then does a relookup, remove this.
I suspect this was the reason for the change that prompted the removal of the expired check in pipapo_get() in the first place, but skipping exired elements there makes no sense to me, this helper is used for normal get requests, insertions (duplicate check) and deactivate callback.
In first two cases expired elements must be skipped.
For ->deactivate(), this gets called for DELSETELEM, so it seems to me that expired elements should be skipped as well, i.e. delete request should fail with -ENOENT error.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/21/2026
The vulnerability described in CVE-2023-52925 affects the Linux kernel's netfilter subsystem, specifically within the nftables implementation that handles set operations. This issue manifests in the pipapo set type implementation where the system fails to properly handle expired entries during insert operations, leading to incorrect behavior in set management and potential denial of service conditions. The problem stems from improper handling of duplicate entry checks when expired elements are present in the set structure, causing test failures in the nftables selftest suite and disrupting expected operational behavior.
The technical flaw resides in the nft_pipapo_activate function which exhibits inconsistent behavior compared to other set implementations within the kernel. While bitmap, hash, rhash, and rbtree set types utilize elem->priv for their operations, the pipapo implementation performs additional lookups that create unnecessary complexity and potential race conditions. This design inconsistency creates a scenario where expired entries are not properly handled during insertion operations, leading to the failure described in the test case where expected behavior differs from actual results. The vulnerability represents a deviation from established patterns and introduces potential security implications through improper state management.
The operational impact of this vulnerability extends beyond simple test failures to potentially affect network filtering operations that rely on nftables for packet handling and access control. When expired entries are not properly ignored during insert operations, it can lead to inconsistent set states that may cause network traffic to be incorrectly filtered or dropped. The asymmetry in the implementation means that while some operations correctly handle expired elements, others do not, creating a fragmented security posture within the netfilter subsystem. This inconsistency can be exploited by malicious actors to manipulate set states and potentially bypass intended network filtering rules.
Security implications of this vulnerability align with CWE-691, which addresses inadequate protection of code from overflow conditions, and relate to ATT&CK technique T1562.007 for "Taint Data" which can occur when improper state handling leads to unexpected behavior in security controls. The fix requires modifications to ensure that expired entries are properly ignored during insertion operations while maintaining consistency with other set implementations. This involves removing the expired check from pipapo_get() helper function and ensuring that deactivate callbacks properly handle expired elements by returning appropriate error codes such as -ENOENT. The recommended mitigation includes updating to kernel versions that contain the patched implementation and verifying that nftables configurations properly handle set operations without relying on inconsistent expired entry behavior.