CVE-2023-53076

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to the version with the adjusted bpf jit limit

Description A vulnerability in the Linux kernel has been resolved, related to the default bpf jit limit being insufficient. This issue was observed in AWS EKS (Kubernetes) user reports, where containers were stuck in the ContainerCreating state or liveness/readiness probes reported errors after upgrading EKS nodes. The error was caused by the inability to load seccomp filters into the kernel due to the bpf jit limit being too low. The default limit was originally set to 1/4 of the module memory space, but it has been adjusted to 1/2 to better reflect today's needs and avoid hard-to-debug issues.

Recommendations For Linux kernel versions prior to the version with the adjusted bpf jit limit, consider adjusting the bpf jit limit to a higher value, such as 452534528, by using the sysctl command, e.g., sysctl net.core.bpf jit limit=452534528, to immediately allow containers to be created and probes to execute. However, this is only a temporary workaround, and it is recommended to update to a newer version of the Linux kernel that includes the adjusted bpf jit limit. At the moment, there is no information about a newer version that contains a fix for this vulnerability.