This post is part of a regular series on Oracle Ksplice’s Known Exploit Detection. For selected security vulnerabilities, not only will Ksplice fix the code error, but it will also lay down tripwires to detect exploit attempts.
Known Exploit Detection allows system administrators to detect and alert on future attempts to exploit that vulnerability even after the system has been patched.
Why Exploit Detection Matters
In many cases, a code fix for a security vulnerability is indistinguishable from a bug fix or logic change. The majority of Linux kernel security vulnerabilities are identified retroactively and assigned to patches that are already part of the kernel.
Once the bug is fixed, the program works “correctly” and won’t trigger an alarm if a malicious user tests a known exploit.
For example, the exploit for CVE-2023-3390 lets a local user escalate to root privileges by exploiting a vulnerability in nftable’s faulty rule creation logic that deletes a rule twice: once from the error path when creating the faulty rule, and again from the abort path. This results in a double-free of a set element.
When this is fixed, an exploit attempt won’t grant unauthorized access, but the system admin won’t be alerted. With Known Exploit Detection, Ksplice fixes the race condition and sets a tripwire to detect double-free attempts.
Here’s how the warning message for CVE-2023-3390 appears in systemd’s logs when Ksplice detects an attack from the binary exploit:
Sep 12 12:47:25 localhost.localdomain /log-known-exploit[13493]: exploit attempt
detected; id=CVE-2023-3390 pid=13493 uid=0 comm=exploit lost=0Here, lost=0 shows that no detection events were dropped by Ksplice’s internal rate limiting, which suppresses excessive repeated alerts.
We apply Known Exploit Detection selectively: only for vulnerabilities that are significant and likely to be exploited. Not every patched flaw gets this treatment—it’s reserved for high-profile threats.
Latest Known Exploit Detection Tripwires Added
Here’s a selection of our most recent Known Exploit Detection capabilities in Oracle Ksplice:
- CVE-2023-3390: This is a use-after-free vulnerability in the netfilter subsystem’s nf_tables implementation. The issue arises when an nf_tables rule, attached to a chain, contains expressions that reference an anonymous set. If an invalid parameter is passed to such an expression during rule creation, the rule is not created. Prior to the fix, this scenario led to the anonymous set associated with the expression being immediately deleted without proper deactivation and removal from the transaction list. Consequently, within the same transaction, the deleted set remained accessible from the transaction list, resulting in a use-after-free condition.
- CVE-2023-32233: This is a use-after-free in netfilter’s nf_tables handling of anonymous sets during rule deletion. An nf_tables rule is attached to a chain and contains expressions that match network packets to determine actions. These expressions may reference an anonymous set, which is deleted along with the rule. However, when deleted, the set is not detached from the global list of sets but is only deactivated. This ensures that the set cannot be referenced again when iterating through the global list. Before the fix, the set was not deactivated and could still be referenced from the list. Since the set was already scheduled for deletion with the rule referencing it through an expression, any subsequent attempt to access the set resulted in a use-after-free.
- CVE-2023-3777: This is a use-after-free vulnerability in the netfilter subsystem’s nf_tables implementation. The bug stems from missing validation when deleting rules from a bound chain that contains rules referencing a victim chain via immediate expressions with NFT_JUMP or NFT_GOTO verdicts. This can cause the victim chain’s reference count to underflow to -1. If another rule is then created in a different chain that targets the victim chain using an immediate expression with NFT_JUMP or NFT_GOTO, the victim’s reference count increases to 0. Deleting the victim chain at this point frees its memory because the reference count is 0, while another chain still holds a dangling pointer to it as a jump target. This leads to a use-after-free when the referenced chain is later accessed. Unprivileged users can exploit this condition to achieve arbitrary kernel read/write and ultimately local privilege escalation. The issue has been demonstrated to be reliably exploitable via unprivileged netlink API calls.
- CVE-2022-2639: This vulnerability allows an untrusted user to escalate privileges to ring zero by leveraging an integer coercion error in the openvswitch kernel module’s reserve_sfa_size() function. This flaw allows a local user to crash or potentially escalate their privileges on the system. The issue occurs when handling netlink messages, allowing an attacker to trigger an out-of-bounds write in kernel memory. Public proof-of-concept exploits have been disclosed, including implementations utilizing the pipe-primitive technique that do not require KASLR leaks or SMAP/SMEP/KPTI bypasses.
- CVE-2022-34918: This vulnerability allows an untrusted user to escalate privileges to ring zero by leveraging a type confusion bug in nft_set_elem_init in the Netfilter subsystem’s nf_tables component, leading to a heap buffer overflow. The attacker can obtain root access, but must start with an unprivileged user namespace to obtain CAP_NET_ADMIN access. Multiple public proof-of-concept exploits have been released, including a Metasploit module and standalone exploits targeting specific kernel versions. The exploitation involves crafting malicious netlink messages to trigger the type confusion. The flaw was particularly significant because unprivileged user namespaces can be enabled by default, lowering the barrier for exploitation.
- CVE-2025-21920: A missing check for device type in the ethernet VLAN stack could lead to kernel address leak. As System.map file is also readable by an unprivileged attacker, KASLR can be bypassed since the attacker can find out the relative offsets and combine that with the leaked address to find the address of any kernel symbol, which can facilitate an attack, like privilege escalation.
On a non-Ksplice-patched system, the kernel fix prevents the vulnerability but does not alert the admin to an attack attempt. With Ksplice, the intrusion is prevented and logged.
Ksplice lets you patch vulnerabilities and critical bugs on running systems without rebooting. Find out what patches you can apply with Ksplice Inspector. Learn more at ksplice.oracle.com.
If this work interests you, consider applying to the Ksplice team! Reach us at ksplice-support_ww@oracle.com.