{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-2430", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "dateUpdated": "2024-08-02T06:19:15.243Z", "dateReserved": "2023-04-30T00:00:00", "datePublished": "2023-07-23T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2023-09-10T11:06:42.102647"}, "descriptions": [{"lang": "en", "value": "A vulnerability was found due to missing lock for IOPOLL flaw in io_cqring_event_overflow() in io_uring.c in Linux Kernel. This flaw allows a local attacker with user privilege to trigger a Denial of Service threat."}], "affected": [{"vendor": "n/a", "product": "kernel", "versions": [{"version": "Kernel Linux prior to Kernel 6.2 RC5", "status": "affected"}]}], "references": [{"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e12d7a46f65ae4b7d58a5e0c1cbfa825cf8"}, {"name": "DSA-5492", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2023/dsa-5492"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-413", "cweId": "CWE-413"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T06:19:15.243Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e12d7a46f65ae4b7d58a5e0c1cbfa825cf8", "tags": ["x_transferred"]}, {"name": "DSA-5492", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.debian.org/security/2023/dsa-5492"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "108695B6-7133-4B6C-80AF-0F66880FE858", "versionEndExcluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:-:*:*:*:*:*:*", "matchCriteriaId": "3ADCCCEE-143A-4B48-9B2A-0CB97BD385DE", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc1:*:*:*:*:*:*", "matchCriteriaId": "FF501633-2F44-4913-A8EE-B021929F49F6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc2:*:*:*:*:*:*", "matchCriteriaId": "2BDA597B-CAC1-4DF0-86F0-42E142C654E9", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc3:*:*:*:*:*:*", "matchCriteriaId": "725C78C9-12CE-406F-ABE8-0813A01D66E8", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc4:*:*:*:*:*:*", "matchCriteriaId": "A127C155-689C-4F67-B146-44A57F4BFD85", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found due to missing lock for IOPOLL flaw in io_cqring_event_overflow() in io_uring.c in Linux Kernel. This flaw allows a local attacker with user privilege to trigger a Denial of Service threat."}], "id": "CVE-2023-2430", "lastModified": "2023-09-10T12:15:45.223", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-07-23T02:15:11.257", "references": [{"source": "secalert@redhat.com", "tags": ["Patch"], "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e12d7a46f65ae4b7d58a5e0c1cbfa825cf8"}, {"source": "secalert@redhat.com", "url": "https://www.debian.org/security/2023/dsa-5492"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-667"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-413"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Gengjia Chen (IceSword Lab) and Xingyuan Mo (IceSword Lab) for reporting this issue.", "bugzilla": {"description": "kernel: missing lock in io_uring/msg_ring.c for IOPOLL in io_uring cause denial of service", "id": "2192175", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2192175"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.6", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H", "status": "draft"}, "cwe": "CWE-667", "details": ["A vulnerability was found due to missing lock for IOPOLL flaw in io_cqring_event_overflow() in io_uring.c in Linux Kernel. This flaw allows a local attacker with user privilege to trigger a Denial of Service threat.", "A vulnerability was found due to a missing lock for the IOPOLL in io_cqring_event_overflow() in io_uring.c in the Linux kernel. This flaw allows a local attacker with user privileges to trigger a denial of service."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2023-2430", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2023-01-19T06:30:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-2430\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-2430\nhttps://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e12d7a46f65ae4b7d58a5e0c1cbfa825cf8"], "threat_severity": "Moderate", "upstream_fix": "Kernel 6.2 RC5"}