CVE-2023-0461 Use-after-free vulnerability in the Linux Kernel

2023-02-2814:23:02

CWE-416

Google

www.cve.org

use-after-free

linux kernel

vulnerability

local privilege escalation

config_tls

config_xfrm_espintcp

icsk_ulp_data

struct inet_connection_sock

struct tls_context

setsockopt tcp_ulp

upgrade

commit

2c02d41d71f90a5168391b6a5f2954112ba2307c

cve

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

5.1%

JSON

There is a use-after-free vulnerability in the Linux Kernel which can be exploited to achieve local privilege escalation. To reach the vulnerability kernel configuration flag CONFIG_TLS or CONFIG_XFRM_ESPINTCP has to be configured, but the operation does not require any privilege.

There is a use-after-free bug of icsk_ulp_data of a struct inet_connection_sock.

When CONFIG_TLS is enabled, user can install a tls context (struct tls_context) on a connected tcp socket. The context is not cleared if this socket is disconnected and reused as a listener. If a new socket is created from the listener, the context is inherited and vulnerable.

The setsockopt TCP_ULP operation does not require any privilege.

We recommend upgrading past commit 2c02d41d71f90a5168391b6a5f2954112ba2307c

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "packageName": "kernel",
    "product": "Linux Kernel",
    "repo": "https://git.kernel.org",
    "vendor": "Linux",
    "versions": [
      {
        "lessThan": "2c02d41d71f90a5168391b6a5f2954112ba2307c",
        "status": "affected",
        "version": "0",
        "versionType": "git"
      }
    ]
  }
]