A heap out-of-bounds read/write vulnerability in the Linux Kernel traffic control (QoS) subsystem can be exploited to achieve local privilege escalation.
TheΒ qfq_change_class function does not properly limit the lmax variable which can lead to out-of-bounds read/write.Β If the TCA_QFQ_LMAX value is not offered through nlattr, lmax is determined by the MTU value of the network device. The MTU of the loopback device can be set up to 2^31-1 and as a result, it is possible to have an lmax value that exceeds QFQ_MIN_LMAX.
We recommend upgrading past commit 3037933448f60f9acb705997eae62013ecb81e0d.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 12 | all | linux | <=Β 6.1.25-1 | linux_6.1.25-1_all.deb |
Debian | 11 | all | linux | <=Β 5.10.178-3 | linux_5.10.178-3_all.deb |
Debian | 10 | all | linux | <Β 4.19.282-1 | linux_4.19.282-1_all.deb |
Debian | 999 | all | linux | <=Β 6.1.25-1 | linux_6.1.25-1_all.deb |