CVE-2023-3773

2023-07-2516:15:11

Debian Security Bug Tracker

security-tracker.debian.org

linux

kernel

ip framework

xfrm subsystem

netlink attributes

sensitive data

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.0005 Low

EPSS

Percentile

17.7%

JSON

A flaw was found in the Linux kernel’s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to cause a 4 byte out-of-bounds read of XFRMA_MTIMER_THRESH when parsing netlink attributes, leading to potential leakage of sensitive heap data to userspace.

OSVersionArchitecturePackageVersionFilename
Debian12alllinux< 6.1.52-1linux_6.1.52-1_all.deb
Debian11alllinux< 5.10.197-1linux_5.10.197-1_all.deb
Debian10alllinux< 4.19.249-2linux_4.19.249-2_all.deb
Debian999alllinux< 6.4.13-1linux_6.4.13-1_all.deb
Debian13alllinux< 6.4.13-1linux_6.4.13-1_all.deb
Debian10alllinux-5.10< 5.10.197-1~deb10u1linux-5.10_5.10.197-1~deb10u1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	linux	< 6.1.52-1	linux_6.1.52-1_all.deb
Debian	11	all	linux	< 5.10.197-1	linux_5.10.197-1_all.deb
Debian	10	all	linux	< 4.19.249-2	linux_4.19.249-2_all.deb
Debian	999	all	linux	< 6.4.13-1	linux_6.4.13-1_all.deb
Debian	13	all	linux	< 6.4.13-1	linux_6.4.13-1_all.deb
Debian	10	all	linux-5.10	< 5.10.197-1~deb10u1	linux-5.10_5.10.197-1~deb10u1_all.deb