CVE-2023-52481 - OpenCVE

In the Linux kernel, the following vulnerability has been resolved: arm64: errata: Add Cortex-A520 speculative unprivileged load workaround Implement the workaround for ARM Cortex-A520 erratum 2966298. On an affected Cortex-A520 core, a speculatively executed unprivileged load might leak data from a privileged load via a cache side channel. The issue only exists for loads within a translation regime with the same translation (e.g. same ASID and VMID). Therefore, the issue only affects the return to EL0. The workaround is to execute a TLBI before returning to EL0 after all loads of privileged data. A non-shareable TLBI to any address is sufficient. The workaround isn't necessary if page table isolation (KPTI) is enabled, but for simplicity it will be. Page table isolation should normally be disabled for Cortex-A520 as it supports the CSV3 feature and the E0PD feature (used when KASLR is enabled).

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://git.kernel.org/stable/c/32b0a4ffcaea44a00a61e40c0d1bcc50362aee25
https://git.kernel.org/stable/c/471470bc7052d28ce125901877dd10e4c048e513
https://git.kernel.org/stable/c/6e3ae2927b432a3b7c8374f14dbc1bd9ebe4372c
https://lore.kernel.org/linux-cve-announce/2024022922-CVE-2023-52481-99a8@gregkh/T/#u
https://nvd.nist.gov/vuln/detail/CVE-2023-52481
https://www.cve.org/CVERecord?id=CVE-2023-52481

History

Mon, 04 Nov 2024 20:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 6.0, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H'}`	cvssV3_1 `{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L'}`

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-02-29T05:43:12.630Z

Updated: 2024-11-04T20:07:29.567Z

Reserved: 2024-02-20T12:30:33.301Z

Link: CVE-2023-52481

Vulnrichment

Updated: 2024-08-02T23:03:19.935Z

NVD

Status : Awaiting Analysis

Published: 2024-02-29T06:15:46.060

Modified: 2024-11-04T20:35:02.537

Link: CVE-2023-52481

Redhat

Severity : Low

Publid Date: 2024-02-29T00:00:00Z

Links: CVE-2023-52481 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-52481", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-02-20T12:30:33.301Z", "datePublished": "2024-02-29T05:43:12.630Z", "dateUpdated": "2024-11-04T20:07:29.567Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-04T14:47:41.366Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: errata: Add Cortex-A520 speculative unprivileged load workaround\n\nImplement the workaround for ARM Cortex-A520 erratum 2966298. On an\naffected Cortex-A520 core, a speculatively executed unprivileged load\nmight leak data from a privileged load via a cache side channel. The\nissue only exists for loads within a translation regime with the same\ntranslation (e.g. same ASID and VMID). Therefore, the issue only affects\nthe return to EL0.\n\nThe workaround is to execute a TLBI before returning to EL0 after all\nloads of privileged data. A non-shareable TLBI to any address is\nsufficient.\n\nThe workaround isn't necessary if page table isolation (KPTI) is\nenabled, but for simplicity it will be. Page table isolation should\nnormally be disabled for Cortex-A520 as it supports the CSV3 feature\nand the E0PD feature (used when KASLR is enabled)."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["Documentation/arch/arm64/silicon-errata.rst", "arch/arm64/Kconfig", "arch/arm64/kernel/cpu_errata.c", "arch/arm64/kernel/entry.S", "arch/arm64/tools/cpucaps"], "versions": [{"version": "1da177e4c3f4", "lessThan": "6e3ae2927b43", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "32b0a4ffcaea", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "471470bc7052", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["Documentation/arch/arm64/silicon-errata.rst", "arch/arm64/Kconfig", "arch/arm64/kernel/cpu_errata.c", "arch/arm64/kernel/entry.S", "arch/arm64/tools/cpucaps"], "versions": [{"version": "6.1.57", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.5.7", "lessThanOrEqual": "6.5.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/6e3ae2927b432a3b7c8374f14dbc1bd9ebe4372c"}, {"url": "https://git.kernel.org/stable/c/32b0a4ffcaea44a00a61e40c0d1bcc50362aee25"}, {"url": "https://git.kernel.org/stable/c/471470bc7052d28ce125901877dd10e4c048e513"}], "title": "arm64: errata: Add Cortex-A520 speculative unprivileged load workaround", "x_generator": {"engine": "bippy-9e1c9544281a"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-noinfo Not enough information"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-02-29T20:42:26.894938Z", "id": "CVE-2023-52481", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-04T20:07:29.567Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T23:03:19.935Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/6e3ae2927b432a3b7c8374f14dbc1bd9ebe4372c", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/32b0a4ffcaea44a00a61e40c0d1bcc50362aee25", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/471470bc7052d28ce125901877dd10e4c048e513", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/6e3ae2927b432a3b7c8374f14dbc1bd9ebe4372c", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/32b0a4ffcaea44a00a61e40c0d1bcc50362aee25", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/471470bc7052d28ce125901877dd10e4c048e513", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T23:03:19.935Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-52481", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-29T20:42:26.894938Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-noinfo Not enough information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:14.208Z"}}], "cna": {"title": "arm64: errata: Add Cortex-A520 speculative unprivileged load workaround", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "1da177e4c3f4", "lessThan": "6e3ae2927b43", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "32b0a4ffcaea", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "471470bc7052", "versionType": "git"}], "programFiles": ["Documentation/arch/arm64/silicon-errata.rst", "arch/arm64/Kconfig", "arch/arm64/kernel/cpu_errata.c", "arch/arm64/kernel/entry.S", "arch/arm64/tools/cpucaps"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "unaffected", "version": "6.1.57", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.5.7", "versionType": "semver", "lessThanOrEqual": "6.5.*"}, {"status": "unaffected", "version": "6.6", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["Documentation/arch/arm64/silicon-errata.rst", "arch/arm64/Kconfig", "arch/arm64/kernel/cpu_errata.c", "arch/arm64/kernel/entry.S", "arch/arm64/tools/cpucaps"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/6e3ae2927b432a3b7c8374f14dbc1bd9ebe4372c"}, {"url": "https://git.kernel.org/stable/c/32b0a4ffcaea44a00a61e40c0d1bcc50362aee25"}, {"url": "https://git.kernel.org/stable/c/471470bc7052d28ce125901877dd10e4c048e513"}], "x_generator": {"engine": "bippy-9e1c9544281a"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: errata: Add Cortex-A520 speculative unprivileged load workaround\n\nImplement the workaround for ARM Cortex-A520 erratum 2966298. On an\naffected Cortex-A520 core, a speculatively executed unprivileged load\nmight leak data from a privileged load via a cache side channel. The\nissue only exists for loads within a translation regime with the same\ntranslation (e.g. same ASID and VMID). Therefore, the issue only affects\nthe return to EL0.\n\nThe workaround is to execute a TLBI before returning to EL0 after all\nloads of privileged data. A non-shareable TLBI to any address is\nsufficient.\n\nThe workaround isn't necessary if page table isolation (KPTI) is\nenabled, but for simplicity it will be. Page table isolation should\nnormally be disabled for Cortex-A520 as it supports the CSV3 feature\nand the E0PD feature (used when KASLR is enabled)."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-04T14:47:41.366Z"}}}, "cveMetadata": {"cveId": "CVE-2023-52481", "state": "PUBLISHED", "dateUpdated": "2024-11-04T20:07:29.567Z", "dateReserved": "2024-02-20T12:30:33.301Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-02-29T05:43:12.630Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: errata: Add Cortex-A520 speculative unprivileged load workaround\n\nImplement the workaround for ARM Cortex-A520 erratum 2966298. On an\naffected Cortex-A520 core, a speculatively executed unprivileged load\nmight leak data from a privileged load via a cache side channel. The\nissue only exists for loads within a translation regime with the same\ntranslation (e.g. same ASID and VMID). Therefore, the issue only affects\nthe return to EL0.\n\nThe workaround is to execute a TLBI before returning to EL0 after all\nloads of privileged data. A non-shareable TLBI to any address is\nsufficient.\n\nThe workaround isn't necessary if page table isolation (KPTI) is\nenabled, but for simplicity it will be. Page table isolation should\nnormally be disabled for Cortex-A520 as it supports the CSV3 feature\nand the E0PD feature (used when KASLR is enabled)."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: arm64: errata: Agregar workaround de carga especulativa sin privilegios de Cortex-A520 Implementar la workaround para la errata 2966298 de ARM Cortex-A520. En un n\u00facleo Cortex-A520 afectado, una carga sin privilegios ejecutada especulativamente podr\u00eda filtrarse datos de una carga privilegiada a trav\u00e9s de un canal lateral de cach\u00e9. El problema s\u00f3lo existe para cargas dentro de un r\u00e9gimen de traducci\u00f3n con la misma traducci\u00f3n (por ejemplo, el mismo ASID y VMID). Por tanto, el problema s\u00f3lo afecta al retorno a EL0. La soluci\u00f3n es ejecutar un TLBI antes de regresar a EL0 despu\u00e9s de todas las cargas de datos privilegiados. Un TLBI que no se pueda compartir con cualquier direcci\u00f3n es suficiente. El workaround no es necesario si el aislamiento de la tabla de p\u00e1ginas (KPTI) est\u00e1 habilitado, pero por simplicidad lo ser\u00e1. El aislamiento de la tabla de p\u00e1ginas normalmente debe estar deshabilitado para Cortex-A520, ya que admite la funci\u00f3n CSV3 y la funci\u00f3n E0PD (utilizada cuando KASLR est\u00e1 habilitado)."}], "id": "CVE-2023-52481", "lastModified": "2024-11-04T20:35:02.537", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-02-29T06:15:46.060", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/32b0a4ffcaea44a00a61e40c0d1bcc50362aee25"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/471470bc7052d28ce125901877dd10e4c048e513"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6e3ae2927b432a3b7c8374f14dbc1bd9ebe4372c"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: arm64: errata: Add Cortex-A520 speculative unprivileged load workaround", "id": "2267030", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2267030"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H", "status": "draft"}, "cwe": "CWE-1300", "details": ["In the Linux kernel, the following vulnerability has been resolved:\narm64: errata: Add Cortex-A520 speculative unprivileged load workaround\nImplement the workaround for ARM Cortex-A520 erratum 2966298. On an\naffected Cortex-A520 core, a speculatively executed unprivileged load\nmight leak data from a privileged load via a cache side channel. The\nissue only exists for loads within a translation regime with the same\ntranslation (e.g. same ASID and VMID). Therefore, the issue only affects\nthe return to EL0.\nThe workaround is to execute a TLBI before returning to EL0 after all\nloads of privileged data. A non-shareable TLBI to any address is\nsufficient.\nThe workaround isn't necessary if page table isolation (KPTI) is\nenabled, but for simplicity it will be. Page table isolation should\nnormally be disabled for Cortex-A520 as it supports the CSV3 feature\nand the E0PD feature (used when KASLR is enabled)."], "name": "CVE-2023-52481", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Under investigation", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Under investigation", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-02-29T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-52481\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-52481\nhttps://lore.kernel.org/linux-cve-announce/2024022922-CVE-2023-52481-99a8@gregkh/T/#u"], "threat_severity": "Low", "upstream_fix": "kernel 6.1.57, kernel 6.5.7, kernel 6.6"}