{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2023-52436", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-02-20T12:30:33.290Z", "datePublished": "2024-02-20T18:34:47.387Z", "dateUpdated": "2024-08-02T22:55:41.676Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-05-28T19:49:20.982Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: explicitly null-terminate the xattr list\n\nWhen setting an xattr, explicitly null-terminate the xattr list. This\neliminates the fragile assumption that the unused xattr space is always\nzeroed."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/f2fs/xattr.c"], "versions": [{"version": "1da177e4c3f4", "lessThan": "16ae3132ff77", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "12cf91e23b12", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "3e47740091b0", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "32a6cfc67675", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "5de9e9dd1828", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "2525d1ba225b", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "f6c30bfe5a49", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "e26b6d39270f", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/f2fs/xattr.c"], "versions": [{"version": "4.19.306", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "custom"}, {"version": "5.4.268", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "custom"}, {"version": "5.10.209", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "custom"}, {"version": "5.15.148", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.1.74", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.6.13", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.7.1", "lessThanOrEqual": "6.7.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.8", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/16ae3132ff7746894894927c1892493693b89135"}, {"url": "https://git.kernel.org/stable/c/12cf91e23b126718a96b914f949f2cdfeadc7b2a"}, {"url": "https://git.kernel.org/stable/c/3e47740091b05ac8d7836a33afd8646b6863ca52"}, {"url": "https://git.kernel.org/stable/c/32a6cfc67675ee96fe107aeed5af9776fec63f11"}, {"url": "https://git.kernel.org/stable/c/5de9e9dd1828db9b8b962f7ca42548bd596deb8a"}, {"url": "https://git.kernel.org/stable/c/2525d1ba225b5c167162fa344013c408e8b4de36"}, {"url": "https://git.kernel.org/stable/c/f6c30bfe5a49bc38cae985083a11016800708fea"}, {"url": "https://git.kernel.org/stable/c/e26b6d39270f5eab0087453d9b544189a38c8564"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"}], "title": "f2fs: explicitly null-terminate the xattr list", "x_generator": {"engine": "bippy-a5840b7849dd"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-52436", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-21T20:39:15.806517Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:23:01.871Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T22:55:41.676Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/16ae3132ff7746894894927c1892493693b89135", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/12cf91e23b126718a96b914f949f2cdfeadc7b2a", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/3e47740091b05ac8d7836a33afd8646b6863ca52", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/32a6cfc67675ee96fe107aeed5af9776fec63f11", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/5de9e9dd1828db9b8b962f7ca42548bd596deb8a", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/2525d1ba225b5c167162fa344013c408e8b4de36", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/f6c30bfe5a49bc38cae985083a11016800708fea", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/e26b6d39270f5eab0087453d9b544189a38c8564", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/16ae3132ff7746894894927c1892493693b89135", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/12cf91e23b126718a96b914f949f2cdfeadc7b2a", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/3e47740091b05ac8d7836a33afd8646b6863ca52", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/32a6cfc67675ee96fe107aeed5af9776fec63f11", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/5de9e9dd1828db9b8b962f7ca42548bd596deb8a", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/2525d1ba225b5c167162fa344013c408e8b4de36", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/f6c30bfe5a49bc38cae985083a11016800708fea", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/e26b6d39270f5eab0087453d9b544189a38c8564", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T22:55:41.676Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-52436", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-21T20:39:15.806517Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:12.599Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "f2fs: explicitly null-terminate the xattr list", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "1da177e4c3f4", "lessThan": "16ae3132ff77", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "12cf91e23b12", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "3e47740091b0", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "32a6cfc67675", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "5de9e9dd1828", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "2525d1ba225b", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "f6c30bfe5a49", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "e26b6d39270f", "versionType": "git"}], "programFiles": ["fs/f2fs/xattr.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "unaffected", "version": "4.19.306", "versionType": "custom", "lessThanOrEqual": "4.19.*"}, {"status": "unaffected", "version": "5.4.268", "versionType": "custom", "lessThanOrEqual": "5.4.*"}, {"status": "unaffected", "version": "5.10.209", "versionType": "custom", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.15.148", "versionType": "custom", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.74", "versionType": "custom", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.13", "versionType": "custom", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.7.1", "versionType": "custom", "lessThanOrEqual": "6.7.*"}, {"status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["fs/f2fs/xattr.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/16ae3132ff7746894894927c1892493693b89135"}, {"url": "https://git.kernel.org/stable/c/12cf91e23b126718a96b914f949f2cdfeadc7b2a"}, {"url": "https://git.kernel.org/stable/c/3e47740091b05ac8d7836a33afd8646b6863ca52"}, {"url": "https://git.kernel.org/stable/c/32a6cfc67675ee96fe107aeed5af9776fec63f11"}, {"url": "https://git.kernel.org/stable/c/5de9e9dd1828db9b8b962f7ca42548bd596deb8a"}, {"url": "https://git.kernel.org/stable/c/2525d1ba225b5c167162fa344013c408e8b4de36"}, {"url": "https://git.kernel.org/stable/c/f6c30bfe5a49bc38cae985083a11016800708fea"}, {"url": "https://git.kernel.org/stable/c/e26b6d39270f5eab0087453d9b544189a38c8564"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"}], "x_generator": {"engine": "bippy-a5840b7849dd"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: explicitly null-terminate the xattr list\n\nWhen setting an xattr, explicitly null-terminate the xattr list. This\neliminates the fragile assumption that the unused xattr space is always\nzeroed."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-05-28T19:49:20.982Z"}}}, "cveMetadata": {"cveId": "CVE-2023-52436", "state": "PUBLISHED", "dateUpdated": "2024-08-02T22:55:41.676Z", "dateReserved": "2024-02-20T12:30:33.290Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-02-20T18:34:47.387Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "0A7AEFD0-0681-4E8D-9074-27416D3EE94C", "versionEndExcluding": "4.19.306", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "35ADF607-EDCA-45AB-8FB6-9F2D40D47C0C", "versionEndExcluding": "5.4.268", "versionStartIncluding": "4.20.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "5D2E4F24-2FBB-4434-8598-2B1499E566B5", "versionEndExcluding": "5.10.209", "versionStartIncluding": "5.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E25E1389-4B0F-407A-9C94-5908FF3EE88B", "versionEndExcluding": "5.15.148", "versionStartIncluding": "5.11.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "F7DD9841-CE11-470D-A285-A2E8E0F6640D", "versionEndExcluding": "6.1.74", "versionStartIncluding": "5.16.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "74A1FFC7-19FA-450E-BC2D-2BBD2EBF0A5F", "versionEndExcluding": "6.6.13", "versionStartIncluding": "6.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "664EB721-F519-48BB-B1C8-897D5990CD78", "versionEndExcluding": "6.7.1", "versionStartIncluding": "6.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: explicitly null-terminate the xattr list\n\nWhen setting an xattr, explicitly null-terminate the xattr list. This\neliminates the fragile assumption that the unused xattr space is always\nzeroed."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: f2fs: termina expl\u00edcitamente en nulo la lista xattr Al configurar un xattr, termina expl\u00edcitamente en nulo la lista xattr. Esto elimina la fr\u00e1gil suposici\u00f3n de que el espacio xattr no utilizado siempre se pone a cero."}], "id": "CVE-2023-52436", "lastModified": "2024-06-27T12:15:14.000", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-20T21:15:08.060", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/12cf91e23b126718a96b914f949f2cdfeadc7b2a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/16ae3132ff7746894894927c1892493693b89135"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2525d1ba225b5c167162fa344013c408e8b4de36"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/32a6cfc67675ee96fe107aeed5af9776fec63f11"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3e47740091b05ac8d7836a33afd8646b6863ca52"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5de9e9dd1828db9b8b962f7ca42548bd596deb8a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e26b6d39270f5eab0087453d9b544189a38c8564"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f6c30bfe5a49bc38cae985083a11016800708fea"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: f2fs: explicitly null-terminate the xattr list", "id": "2265267", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2265267"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "status": "draft"}, "cwe": "CWE-170", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nf2fs: explicitly null-terminate the xattr list\nWhen setting an xattr, explicitly null-terminate the xattr list. This\neliminates the fragile assumption that the unused xattr space is always\nzeroed.", "A flaw was found in the Linux kernel\u2019s f2fs subsystem. When setting an xattr, explicitly null-terminate the xattr list. This eliminates the assumption that the unused xattr space is always zeroed."], "name": "CVE-2023-52436", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-02-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-52436\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-52436\nhttps://lore.kernel.org/linux-cve-announce/2024022056-operative-cork-082c@gregkh/T/#u"], "threat_severity": "Low"}