CVE-2023-0266

Linux Kernel Use-After-Free Vulnerability

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

*SSVC

Descriptions

A use after free vulnerability exists in the ALSA PCM package in the Linux Kernel. SNDRV_CTL_IOCTL_ELEM_{READ|WRITE}32 is missing locks that can be used in a use-after-free that can result in a priviledge escalation to gain ring0 access from the system user. We recommend upgrading past commit 56b88b50565cd8b946a2d00b0c83927b7ebb055e

A use-after-free flaw was found in snd_ctl_elem_read in sound/core/control.c in Advanced Linux Sound Architecture (ALSA) subsystem in the Linux kernel. In this flaw a normal privileged, local attacker may impact the system due to a locking issue in the compat path, leading to a kernel information leak problem.

Linux kernel contains a use-after-free vulnerability that allows for privilege escalation to gain ring0 access from the system user.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Adjacent

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-01-13 CVE Reserved
2023-01-24 CVE Published
2023-03-30 Exploited in Wild
2023-04-20 KEV Due Date
2024-08-02 CVE Updated
2024-08-11 EPSS Updated
---------- First Exploit

CWE

CWE-416: Use After Free

CAPEC

CAPEC-233: Privilege Escalation

References (6)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html	Mailing List

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/tree/queue-5.10/alsa-pcm-move-rwsem-lock-inside-snd_ctl_elem_read-to-prevent-uaf.patch?id=72783cf35e6c55bca84c4bb7b776c58152856fd4	2023-08-29
https://github.com/torvalds/linux/commit/56b88b50565cd8b946a2d00b0c83927b7ebb055e	2023-08-29
https://github.com/torvalds/linux/commit/becf9e5d553c2389d857a3c178ce80fdb34a02e1	2023-08-29

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2023-0266	2023-04-10
https://bugzilla.redhat.com/show_bug.cgi?id=2163379	2023-04-10

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.14 < 4.14.303 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.14 < 4.14.303"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.15 < 4.19.270 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.15 < 4.19.270"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.20 < 5.4.229 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.20 < 5.4.229"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.5 < 5.10.163 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.5 < 5.10.163"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.11 < 5.15.88 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.11 < 5.15.88"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.16 < 6.1.6 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.16 < 6.1.6"		-		Affected