CVE intelligence and bounded remediation

CVE-2023-52977 — Linux Linux Kernel security vulnerability

Medium CVSS 5.5

In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: fix flow memory leak in ovs_flow_cmd_new Syzkaller reports a memory leak of new_flow in ovs_flow_cmd_new() as it is not freed when an allocation of a key fails. BUG: memory leak unreferenced object 0xffff888116668000 (size 632): comm "syz-executor231", pid 1090, jiffies 4294844701 (age 18.871s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000defa3494>] kmem_cache_zalloc include/linux/slab.h:654 [inline] [<00000000defa3494>] ovs_flow_alloc+0x19/0x180 net/openvswitch/flow_table.c:77 [<00000000c67d8873>] ovs_flow_cmd_new+0x1de/0xd40 net/openvswitch/datapath.c:957 [<0000000010a539a8>] genl_family_rcv_msg_doit+0x22d/0x330 net/netlink/genetlink.c:739 [<00000000dff3302d>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] [<00000000dff3302d>] genl_rcv_msg+0x328/0x590 net/netlink/genetlink.c:800 [<000000000286dd87>] netlink_rcv_skb+0x153/0x430 net/netlink/af_netlink.c:2515 [<0000000061fed410>] genl_rcv+0x24/0x40 net/netlink/genetlink.c:811 [<000000009dc0f111>] netlink_un…

Severity
Medium
CVSS
5.5 (3.1)
Published
2025-03-27
CISA KEV
Not currently listed
Ecosystem
linux/kernel
Weaknesses
CWE-401

Affected products

  • linux / linux_kernel

Showing 1 representative product identities from 8 source matches. Confirm exact affected versions with the linked vendor and NVD evidence.

Matched remediation archetype

Resource exhaustion and denial of service

This catalog composition supplies bounded fallback guidance. Explicitly reviewed curated workflows load with the complete record below.

Check exposure

  • Identify attacker-influenced work factors including input size, nesting, compression, fan-out, regex cost, allocation, recursion, retries, and connection lifetime.
  • Map per-request and shared CPU, memory, disk, descriptor, thread, queue, and downstream-service limits.
  • Determine whether authentication, tenancy, quotas, and rate controls apply before expensive processing begins.

Remediate safely

  • Bound input size, nesting, expansion, work, concurrency, queue depth, retries, and execution time before resource-intensive processing.
  • Release resources on every success, error, cancellation, and timeout path and use backpressure instead of unbounded buffering.
  • Update affected components and add small deterministic tests that assert resource ceilings rather than exhausting a host.

Authoritative sources

Complete CVE record and remediation plan

The detailed catalog view below loads this exact record, its source evidence, and the full seven-phase agentic change plan.