CVE-2023-6039

2023-11-0900:00:00

ubuntu.com

use-after-free

lan78xx_disconnect

local attacker

crash

linux kernel

network

usb device

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

6.3 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

5.2%

JSON

A use-after-free flaw was found in lan78xx_disconnect in
drivers/net/usb/lan78xx.c in the network sub-component, net/usb/lan78xx in
the Linux Kernel. This flaw allows a local attacker to crash the system
when the LAN78XX USB device detaches.

Bugs

Notes

Author	Note
	Priority reason: Requires a device to be disconnected (physical proximity) or the lan78xx driver to be unloaded to exploit.
rodrigo-zaiden	issue observed when device is disconnected or driver unloaded. a regression was reported in Jammy kernel release, version 5.15.0-94.104. the regression could lead the kernel to crash, under the same condition: device removal. hence, the priority is still low when considering the regression. two commits are needed in order to have the regression fixed: 82ed6f7ef58f timers: Replace BUG_ON()s d02e382cef06 timers: Silently ignore timers with a NULL function Jammy release version 5.15.0-106.116 includes the first fix for the regression and the second will be placed in next releases.

Author

Note

Priority reason: Requires a device to be disconnected (physical proximity) or the lan78xx driver to be unloaded to exploit.

rodrigo-zaiden

issue observed when device is disconnected or driver unloaded. a regression was reported in Jammy kernel release, version 5.15.0-94.104. the regression could lead the kernel to crash, under the same condition: device removal. hence, the priority is still low when considering the regression. two commits are needed in order to have the regression fixed: 82ed6f7ef58f timers: Replace BUG_ON()s d02e382cef06 timers: Silently ignore timers with a NULL function Jammy release version 5.15.0-106.116 includes the first fix for the regression and the second will be placed in next releases.

OSVersionArchitecturePackageVersionFilename
ubuntu22.04noarchlinux< 5.15.0-94.104UNKNOWN
ubuntu23.04noarchlinux< 6.2.0-39.40UNKNOWN
ubuntu22.04noarchlinux-aws< 5.15.0-1053.58UNKNOWN
ubuntu23.04noarchlinux-aws< 6.2.0-1017.17UNKNOWN
ubuntu20.04noarchlinux-aws-5.15< 5.15.0-1053.58~20.04.1UNKNOWN
ubuntu22.04noarchlinux-aws-6.2< 6.2.0-1017.17~22.04.1UNKNOWN
ubuntu22.04noarchlinux-azure< 5.15.0-1056.64UNKNOWN
ubuntu23.04noarchlinux-azure< 6.2.0-1018.18UNKNOWN
ubuntu20.04noarchlinux-azure-5.15< 5.15.0-1056.64~20.04.1UNKNOWN
ubuntu22.04noarchlinux-azure-6.2< 6.2.0-1018.18~22.04.1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	22.04	noarch	linux	< 5.15.0-94.104	UNKNOWN
ubuntu	23.04	noarch	linux	< 6.2.0-39.40	UNKNOWN
ubuntu	22.04	noarch	linux-aws	< 5.15.0-1053.58	UNKNOWN
ubuntu	23.04	noarch	linux-aws	< 6.2.0-1017.17	UNKNOWN
ubuntu	20.04	noarch	linux-aws-5.15	< 5.15.0-1053.58~20.04.1	UNKNOWN
ubuntu	22.04	noarch	linux-aws-6.2	< 6.2.0-1017.17~22.04.1	UNKNOWN
ubuntu	22.04	noarch	linux-azure	< 5.15.0-1056.64	UNKNOWN
ubuntu	23.04	noarch	linux-azure	< 6.2.0-1018.18	UNKNOWN
ubuntu	20.04	noarch	linux-azure-5.15	< 5.15.0-1056.64~20.04.1	UNKNOWN
ubuntu	22.04	noarch	linux-azure-6.2	< 6.2.0-1018.18~22.04.1	UNKNOWN