Lucene search

K
nvd[email protected]NVD:CVE-2023-2235
HistoryMay 01, 2023 - 1:15 p.m.

CVE-2023-2235

2023-05-0113:15:44
CWE-416
web.nvd.nist.gov
linux kernel
performance events
local privilege escalation
use-after-free vulnerability
upgrade
cve-2023-2235

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.9 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

5.1%

A use-after-free vulnerability in the Linux Kernel Performance Events system can be exploited to achieve local privilege escalation.

The perf_group_detach function did not check the event’s siblings’ attach_state before calling add_event_to_groups(), but remove_on_exec made it possible to call list_del_event() on before detaching from their group, making it possible to use a dangling pointer causing a use-after-free vulnerability.

We recommend upgrading past commit fd0815f632c24878e325821943edccc7fde947a2.

Affected configurations

NVD
Node
linuxlinux_kernelRange5.135.15.104
OR
linuxlinux_kernelRange5.166.1.21
OR
linuxlinux_kernelRange6.26.2.8

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.9 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

5.1%