Lucene search

K
ubuntucveUbuntu.comUB:CVE-2023-4207
HistorySep 06, 2023 - 12:00 a.m.

CVE-2023-4207

2023-09-0600:00:00
ubuntu.com
ubuntu.com
119
linux kernel
use-after-free vulnerability
net/sched
cls_fw component
local privilege escalation
fw_change()
tcf_result struct
filter
bugzilla
local user namespaces

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

25.6%

A use-after-free vulnerability in the Linux kernel’s net/sched: cls_fw
component can be exploited to achieve local privilege escalation. When
fw_change() is called on an existing filter, the whole tcf_result struct is
always copied into the new instance of the filter. This causes a problem
when updating a filter bound to a class, as tcf_unbind_filter() is always
called on the old instance in the success path, decreasing filter_cnt of
the still referenced class and allowing it to be deleted, leading to a
use-after-free. We recommend upgrading past commit
76e42ae831991c828cffa8c37736ebfb831ad5ec.

Bugs

Notes

Author Note
Priority reason: By using unprivileged user namespaces, this can be exploited to achieve local privilege escalation.
rodrigo-zaiden fix commit also present in CVE-2023-4128, likely to be marked as duplicated.
Rows per page:
1-10 of 801

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

25.6%