OpenCVE

A use-after-free vulnerability in the Linux Kernel io_uring subsystem can be exploited to achieve local privilege escalation. Both io_install_fixed_file and its callers call fput in a file in case of an error, causing a reference underflow which leads to a use-after-free vulnerability. We recommend upgrading past commit 9d94c04c0db024922e886c9fd429659f22f48ea4.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Linux	Linux Kernel
Netapp	Hci Baseboard Management Controller

Configuration 1 [-]

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:a:netapp:hci_baseboard_management_controller:h300s:::::::*
	cpe:2.3:a:netapp:hci_baseboard_management_controller:h410c:::::::*
	cpe:2.3:a:netapp:hci_baseboard_management_controller:h410s:::::::*
	cpe:2.3:a:netapp:hci_baseboard_management_controller:h500s:::::::*
	cpe:2.3:a:netapp:hci_baseboard_management_controller:h700s:::::::*

No data.

References

Link	Providers
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9d94c04c0db024922e886c9fd429659f22f48ea4
https://kernel.dance/9d94c04c0db024922e886c9fd429659f22f48ea4
https://nvd.nist.gov/vuln/detail/CVE-2023-2236
https://security.netapp.com/advisory/ntap-20230601-0010/
https://www.cve.org/CVERecord?id=CVE-2023-2236

History

No history.

MITRE

Status: PUBLISHED

Assigner: Google

Published: 2023-05-01T12:50:47.742Z

Updated: 2024-08-02T06:19:13.600Z

Reserved: 2023-04-21T17:43:28.315Z

Link: CVE-2023-2236

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-05-01T13:15:44.850

Modified: 2024-11-21T07:58:12.760

Link: CVE-2023-2236

Redhat

Severity : Important

Publid Date: 2022-11-23T06:30:00Z

Links: CVE-2023-2236 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-2236", "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "state": "PUBLISHED", "assignerShortName": "Google", "dateReserved": "2023-04-21T17:43:28.315Z", "datePublished": "2023-05-01T12:50:47.742Z", "dateUpdated": "2024-08-02T06:19:13.600Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "kernel", "product": "Linux Kernel", "repo": "https://git.kernel.org", "vendor": "Linux", "versions": [{"lessThan": "6.1", "status": "affected", "version": "5.19", "versionType": "custom"}]}], "datePublic": "2022-11-25T13:54:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>A use-after-free vulnerability in the Linux Kernel io_uring subsystem can be exploited to achieve local privilege escalation.</p><p>Both <span style=\"background-color: rgb(255, 255, 255);\">io_install_fixed_file</span> and its callers call fput in a file in case of an error, causing a reference underflow which leads to a use-after-free vulnerability.</p><p>We recommend upgrading past commit 9d94c04c0db024922e886c9fd429659f22f48ea4.</p>"}], "value": "A use-after-free vulnerability in the Linux Kernel io_uring subsystem can be exploited to achieve local privilege escalation.\n\nBoth\u00a0io_install_fixed_file\u00a0and its callers call fput in a file in case of an error, causing a reference underflow which leads to a use-after-free vulnerability.\n\nWe recommend upgrading past commit 9d94c04c0db024922e886c9fd429659f22f48ea4.\n\n"}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "description": "CWE-416 Use After Free", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google", "dateUpdated": "2023-05-01T12:50:47.742Z"}, "references": [{"tags": ["patch"], "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9d94c04c0db024922e886c9fd429659f22f48ea4"}, {"url": "https://kernel.dance/9d94c04c0db024922e886c9fd429659f22f48ea4"}, {"url": "https://security.netapp.com/advisory/ntap-20230601-0010/"}], "source": {"discovery": "EXTERNAL"}, "title": "Use-after-free in Linux kernel's Performance Events subsystem", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T06:19:13.600Z"}, "title": "CVE Program Container", "references": [{"tags": ["patch", "x_transferred"], "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9d94c04c0db024922e886c9fd429659f22f48ea4"}, {"url": "https://kernel.dance/9d94c04c0db024922e886c9fd429659f22f48ea4", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20230601-0010/", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "96F47CB7-A27F-4316-BBC3-15AE6B5A0734", "versionEndExcluding": "6.0.11", "versionStartIncluding": "5.19", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:hci_baseboard_management_controller:h300s:*:*:*:*:*:*:*", "matchCriteriaId": "27227B35-932A-4035-B39F-6A455753C0D6", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:hci_baseboard_management_controller:h410c:*:*:*:*:*:*:*", "matchCriteriaId": "489D20B9-166F-423D-8C48-A23D3026E33B", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:hci_baseboard_management_controller:h410s:*:*:*:*:*:*:*", "matchCriteriaId": "A4AD592C-222D-4C6F-B176-8145A1A5AFEC", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:hci_baseboard_management_controller:h500s:*:*:*:*:*:*:*", "matchCriteriaId": "8603654B-A8A9-4DEB-B0DD-C82E1C885749", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:hci_baseboard_management_controller:h700s:*:*:*:*:*:*:*", "matchCriteriaId": "C855C933-F271-45E6-8E85-8D7CF2EF1BE6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A use-after-free vulnerability in the Linux Kernel io_uring subsystem can be exploited to achieve local privilege escalation.\n\nBoth\u00a0io_install_fixed_file\u00a0and its callers call fput in a file in case of an error, causing a reference underflow which leads to a use-after-free vulnerability.\n\nWe recommend upgrading past commit 9d94c04c0db024922e886c9fd429659f22f48ea4.\n\n"}], "id": "CVE-2023-2236", "lastModified": "2024-11-21T07:58:12.760", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "cve-coordination@google.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-05-01T13:15:44.850", "references": [{"source": "cve-coordination@google.com", "tags": ["Exploit", "Mailing List", "Patch"], "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9d94c04c0db024922e886c9fd429659f22f48ea4"}, {"source": "cve-coordination@google.com", "tags": ["Exploit", "Patch"], "url": "https://kernel.dance/9d94c04c0db024922e886c9fd429659f22f48ea4"}, {"source": "cve-coordination@google.com", "tags": ["Vendor Advisory"], "url": "https://security.netapp.com/advisory/ntap-20230601-0010/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Mailing List", "Patch"], "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9d94c04c0db024922e886c9fd429659f22f48ea4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch"], "url": "https://kernel.dance/9d94c04c0db024922e886c9fd429659f22f48ea4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://security.netapp.com/advisory/ntap-20230601-0010/"}], "sourceIdentifier": "cve-coordination@google.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "cve-coordination@google.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: use-after-free in io_uring/filetable in io_install_fixed_file", "id": "2196759", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2196759"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-416", "details": ["A use-after-free vulnerability in the Linux Kernel io_uring subsystem can be exploited to achieve local privilege escalation.\nBoth\u00a0io_install_fixed_file\u00a0and its callers call fput in a file in case of an error, causing a reference underflow which leads to a use-after-free vulnerability.\nWe recommend upgrading past commit 9d94c04c0db024922e886c9fd429659f22f48ea4.", "A use-after-free vulnerability was found in io_install_fixed_file in io_uring/filetable.c in the Linux Kernel\u2019s io_uring subsystem. This flaw allows an attacker to achieve local privilege escalation."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2023-2236", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2022-11-23T06:30:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-2236\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-2236\nhttps://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9d94c04c0db024922e886c9fd429659f22f48ea4"], "statement": "There was no shipped kernel version were seen affected with this problem. These files are not built in our source code.", "threat_severity": "Important", "upstream_fix": "Kernel 6.1-rc7"}