CVE-2023-1872 - OpenCVE

A use-after-free vulnerability in the Linux Kernel io_uring system can be exploited to achieve local privilege escalation. The io_file_get_fixed function lacks the presence of ctx->uring_lock which can lead to a Use-After-Free vulnerability due a race condition with fixed files getting unregistered. We recommend upgrading past commit da24142b1ef9fd5d36b76e36bab328a5b27523e8.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Debian	Debian Linux
Linux	Linux Kernel

Configuration 1 [-]

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://packetstormsecurity.com/files/173087/Kernel-Live-Patch-Security-Notice-LSN-0095-1.html
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.10.y&id=08681391b84da27133deefaaddefd0acfa90c2be
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.10.y&id=da24142b1ef9fd5d36b76e36bab328a5b27523e8
https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html
https://nvd.nist.gov/vuln/detail/CVE-2023-1872
https://security.netapp.com/advisory/ntap-20230601-0002/
https://www.cve.org/CVERecord?id=CVE-2023-1872

History

No history.

MITRE

Status: PUBLISHED

Assigner: Google

Published: 2023-04-12T15:40:42.386Z

Updated: 2024-08-02T06:05:26.723Z

Reserved: 2023-04-05T13:26:00.875Z

Link: CVE-2023-1872

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-04-12T16:15:17.027

Modified: 2024-02-29T20:23:26.247

Link: CVE-2023-1872

Redhat

Severity : Important

Publid Date: 2023-04-13T00:00:00Z

Links: CVE-2023-1872 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-1872", "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "state": "PUBLISHED", "assignerShortName": "Google", "dateReserved": "2023-04-05T13:26:00.875Z", "datePublished": "2023-04-12T15:40:42.386Z", "dateUpdated": "2024-08-02T06:05:26.723Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "kernel", "product": "Linux Kernel", "repo": "https://git.kernel.org", "vendor": "Linux", "versions": [{"lessThanOrEqual": "5.17", "status": "affected", "version": "5.7", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Bing-Jhong Billy Jheng of Starlabs"}], "datePublic": "2023-03-03T10:45:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>A use-after-free vulnerability in the Linux Kernel io_uring system can be exploited to achieve local privilege escalation.</p><p>The io_file_get_fixed function lacks the presence of ctx->uring_lock which can lead to a Use-After-Free vulnerability due a race condition with fixed files getting unregistered.</p><p>We recommend upgrading past commit da24142b1ef9fd5d36b76e36bab328a5b27523e8.</p>"}], "value": "A use-after-free vulnerability in the Linux Kernel io_uring system can be exploited to achieve local privilege escalation.\n\nThe io_file_get_fixed function lacks the presence of ctx->uring_lock which can lead to a Use-After-Free vulnerability due a race condition with fixed files getting unregistered.\n\nWe recommend upgrading past commit da24142b1ef9fd5d36b76e36bab328a5b27523e8.\n\n"}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "description": "CWE-416 Use After Free", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google", "dateUpdated": "2023-04-12T15:40:42.386Z"}, "references": [{"url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.10.y&id=08681391b84da27133deefaaddefd0acfa90c2be"}, {"url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.10.y&id=da24142b1ef9fd5d36b76e36bab328a5b27523e8"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html"}, {"url": "https://security.netapp.com/advisory/ntap-20230601-0002/"}, {"url": "http://packetstormsecurity.com/files/173087/Kernel-Live-Patch-Security-Notice-LSN-0095-1.html"}], "source": {"discovery": "EXTERNAL"}, "title": "Use-after-free in Linux kernel's io_uring subsystem", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T06:05:26.723Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.10.y&id=08681391b84da27133deefaaddefd0acfa90c2be", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.10.y&id=da24142b1ef9fd5d36b76e36bab328a5b27523e8", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20230601-0002/", "tags": ["x_transferred"]}, {"url": "http://packetstormsecurity.com/files/173087/Kernel-Live-Patch-Security-Notice-LSN-0095-1.html", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "3F0679CB-0039-43FB-94D1-171403E75419", "versionEndExcluding": "5.17", "versionStartIncluding": "5.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A use-after-free vulnerability in the Linux Kernel io_uring system can be exploited to achieve local privilege escalation.\n\nThe io_file_get_fixed function lacks the presence of ctx->uring_lock which can lead to a Use-After-Free vulnerability due a race condition with fixed files getting unregistered.\n\nWe recommend upgrading past commit da24142b1ef9fd5d36b76e36bab328a5b27523e8.\n\n"}], "id": "CVE-2023-1872", "lastModified": "2024-02-29T20:23:26.247", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "cve-coordination@google.com", "type": "Secondary"}]}, "published": "2023-04-12T16:15:17.027", "references": [{"source": "cve-coordination@google.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/173087/Kernel-Live-Patch-Security-Notice-LSN-0095-1.html"}, {"source": "cve-coordination@google.com", "tags": ["Mailing List", "Product"], "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.10.y&id=08681391b84da27133deefaaddefd0acfa90c2be"}, {"source": "cve-coordination@google.com", "tags": ["Mailing List", "Patch"], "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.10.y&id=da24142b1ef9fd5d36b76e36bab328a5b27523e8"}, {"source": "cve-coordination@google.com", "tags": ["Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html"}, {"source": "cve-coordination@google.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20230601-0002/"}], "sourceIdentifier": "cve-coordination@google.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-416"}], "source": "cve-coordination@google.com", "type": "Secondary"}]}

{"bugzilla": {"description": "kernel: io_uring: use-after-free vulnerability in io_file_get_fixed", "id": "2186621", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2186621"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-416", "details": ["A use-after-free vulnerability in the Linux Kernel io_uring system can be exploited to achieve local privilege escalation.\nThe io_file_get_fixed function lacks the presence of ctx->uring_lock which can lead to a Use-After-Free vulnerability due a race condition with fixed files getting unregistered.\nWe recommend upgrading past commit da24142b1ef9fd5d36b76e36bab328a5b27523e8.", "A flaw was found in the io_uring subsystem of the Linux kernel. The io_file_get_fixed function lacks the presence of ctx->uring_lock, which can lead to a use-after-free vulnerability due to a race condition with fixed files getting unregistered. This flaw allows local privilege escalation."], "name": "CVE-2023-1872", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2023-04-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-1872\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-1872"], "statement": "Shipping releases of Red Hat Enterprise Linux kernels are not affected by this flaw, as they do not include support for the `io_uring` subsystem (CONFIG_IO_URING is not set).", "threat_severity": "Important"}