Ubuntu.comUB:CVE-2023-37454CVE-2023-37454
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
9.8%
An issue was discovered in the Linux kernel through 6.4.2. A crafted UDF
filesystem image causes a use-after-free write operation in the
udf_put_super and udf_close_lvid functions in fs/udf/super.c. NOTE: the
suse.com reference has a different perspective about this.
Bugs
- <https://bugzilla.redhat.com/show_bug.cgi?id=2221038>
- <https://bugzilla.suse.com/show_bug.cgi?id=1213122>
Notes
| Author | Note |
|---|---|
| sbeattie | according to upstream, this is syzkaller corrupting a mounted loopback device by writing directly to the device while it’s mounted. Upstream is unlikely to fix this, other than by having the fuzzer not do that. |
| cengizcan | CVE disputed September 2023. Won’t fix. |
References
launchpad.net/bugs/cve/CVE-2023-37454
lore.kernel.org/all/[email protected]/T/
nvd.nist.gov/vuln/detail/CVE-2023-37454
security-tracker.debian.org/tracker/CVE-2023-37454
syzkaller.appspot.com/bug?extid=26873a72980f8fa8bc55
syzkaller.appspot.com/bug?extid=60864ed35b1073540d57
syzkaller.appspot.com/bug?extid=61564e5023b7229ec85d
www.cve.org/CVERecord?id=CVE-2023-37454
Related
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
9.8%