CVE-2023-53635 in Linux
Summary
by MITRE • 10/07/2025
In the Linux kernel, the following vulnerability has been resolved:
netfilter: conntrack: fix wrong ct->timeout value
(struct nf_conn)->timeout is an interval before the conntrack confirmed. After confirmed, it becomes a timestamp.
It is observed that timeout of an unconfirmed conntrack: - Set by calling ctnetlink_change_timeout(). As a result, `nfct_time_stamp` was wrongly added to `ct->timeout` twice. - Get by calling ctnetlink_dump_timeout(). As a result, `nfct_time_stamp` was wrongly subtracted.
Call Trace: <TASK> dump_stack_lvl ctnetlink_dump_timeout __ctnetlink_glue_build ctnetlink_glue_build __nfqnl_enqueue_packet nf_queue nf_hook_slow ip_mc_output ? __pfx_ip_finish_output ip_send_skb ? __pfx_dst_output udp_send_skb udp_sendmsg ? __pfx_ip_generic_getfrag sock_sendmsg
Separate the 2 cases in: - Setting `ct->timeout` in __nf_ct_set_timeout(). - Getting `ct->timeout` in ctnetlink_dump_timeout().
Pablo appends:
Update ctnetlink to set up the timeout _after_ the IPS_CONFIRMED flag is set on, otherwise conntrack creation via ctnetlink breaks.
Note that the problem described in this patch occurs since the introduction of the nfnetlink_queue conntrack support, select a sufficiently old Fixes: tag for -stable kernel to pick up this fix.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/01/2026
The vulnerability identified as CVE-2023-53635 resides within the Linux kernel's netfilter subsystem, specifically affecting the connection tracking component known as conntrack. This flaw manifests in the improper handling of timeout values for network connections, creating a critical inconsistency in how connection tracking timestamps are managed. The issue impacts the nf_conn structure where the timeout field transitions from representing an interval to a timestamp upon connection confirmation, yet the implementation fails to properly distinguish between these two states during read and write operations.
The technical flaw stems from incorrect arithmetic operations applied to the ct->timeout field when dealing with unconfirmed connections. During the setting operation via ctnetlink_change_timeout(), the nfct_time_stamp value gets erroneously added twice to ct->timeout, effectively doubling the intended timeout value. Conversely, during retrieval operations through ctnetlink_dump_timeout(), the nfct_time_stamp is incorrectly subtracted from the timeout value, leading to negative or incorrect timeout calculations. This dual manipulation creates a fundamental inconsistency in connection tracking behavior that can result in premature connection expiration or indefinite retention of stale connections.
The operational impact of this vulnerability extends beyond simple connection tracking anomalies to potentially compromise network security and system stability. When connections are improperly timed out or retained beyond their intended duration, it creates opportunities for resource exhaustion attacks where malicious actors can exploit the flawed timeout mechanism to maintain persistent connections or consume excessive system resources. The vulnerability affects the entire connection tracking framework, making it particularly dangerous as it can influence packet processing, network flow management, and overall system performance across various network protocols. The call trace demonstrates the vulnerability's path through the network stack, highlighting that the issue occurs during packet queuing and connection tracking operations that are fundamental to network processing.
The fix implemented addresses the core issue by separating the timeout handling into distinct operations for setting and getting values. The solution modifies __nf_ct_set_timeout() to properly manage the timeout value during setting operations while ensuring ctnetlink_dump_timeout() correctly retrieves the timeout without applying incorrect arithmetic operations. Additionally, the patch ensures that timeout values are properly configured after the IPS_CONFIRMED flag is set, preventing connection creation failures when using ctnetlink for connection tracking operations. This fix aligns with CWE-682: Incorrect Calculation, which specifically addresses issues where arithmetic operations produce incorrect results due to improper handling of data types or values. The vulnerability's impact is further contextualized by its relationship to ATT&CK technique T1071.004: Application Layer Protocol: DNS, where improper connection tracking could facilitate evasion or persistence mechanisms. The fix requires careful handling of timestamp calculations and proper state management within the connection tracking subsystem, making it a critical patch for maintaining network security and system stability in environments relying on Linux kernel netfilter functionality.