Lucene search

K
ubuntucveUbuntu.comUB:CVE-2023-1079
HistoryMar 27, 2023 - 12:00 a.m.

CVE-2023-1079

2023-03-2700:00:00
ubuntu.com
ubuntu.com
24
linux kernel
use-after-free
asus_kbd_backlight_set
usb device
memory corruption
asus device

CVSS3

6.8

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

40.3%

A flaw was found in the Linux kernel. A use-after-free may be triggered in
asus_kbd_backlight_set when plugging/disconnecting in a malicious USB
device, which advertises itself as an Asus device. Similarly to the
previous known CVE-2023-25012, but in asus devices, the work_struct may be
scheduled by the LED controller while the device is disconnecting,
triggering a use-after-free on the struct asus_kbd_leds *led structure. A
malicious USB device may exploit the issue to cause memory corruption with
controlled data.

Notes

Author Note
sbeattie requires physical access to plug in/remove a malicious USB device.
OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchlinux< 4.15.0-221.232UNKNOWN
ubuntu20.04noarchlinux< 5.4.0-152.169UNKNOWN
ubuntu22.04noarchlinux< 5.15.0-75.82UNKNOWN
ubuntu22.10noarchlinux< 5.19.0-45.46UNKNOWN
ubuntu18.04noarchlinux-aws< 4.15.0-1164.177UNKNOWN
ubuntu20.04noarchlinux-aws< 5.4.0-1104.112UNKNOWN
ubuntu22.04noarchlinux-aws< 5.15.0-1038.43UNKNOWN
ubuntu22.10noarchlinux-aws< 5.19.0-1027.28UNKNOWN
ubuntu23.04noarchlinux-aws< 6.2.0-1003.3UNKNOWN
ubuntu20.04noarchlinux-aws-5.15< 5.15.0-1038.43~20.04.1UNKNOWN
Rows per page:
1-10 of 751

CVSS3

6.8

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

40.3%