CVE-2023-0461
Use-after-free vulnerability in the Linux Kernel
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
There is a use-after-free vulnerability in the Linux Kernel which can be exploited to achieve local privilege escalation. To reach the vulnerability kernel configuration flag CONFIG_TLS or CONFIG_XFRM_ESPINTCP has to be configured, but the operation does not require any privilege. There is a use-after-free bug of icsk_ulp_data of a struct inet_connection_sock. When CONFIG_TLS is enabled, user can install a tls context (struct tls_context) on a connected tcp socket. The context is not cleared if this socket is disconnected and reused as a listener. If a new socket is created from the listener, the context is inherited and vulnerable. The setsockopt TCP_ULP operation does not require any privilege. We recommend upgrading past commit 2c02d41d71f90a5168391b6a5f2954112ba2307c
A use-after-free flaw was found in the Linux kernel’s TLS protocol functionality in how a user installs a tls context (struct tls_context) on a connected TCP socket. This flaw allows a local user to crash or potentially escalate their privileges on the system.
There is a use-after-free vulnerability in the Linux Kernel which can be exploited to achieve local privilege escalation. To reach the vulnerability kernel configuration flag CONFIG_TLS or CONFIG_XFRM_ESPINTCP has to be configured, but the operation does not require any privilege. There is a use-after-free bug of icsk_ulp_data of a struct inet_connection_sock. When CONFIG_TLS is enabled, user can install a tls context (struct tls_context) on a connected tcp socket. The context is not cleared if this socket is disconnected and reused as a listener. If a new socket is created from the listener, the context is inherited and vulnerable. The setsockopt TCP_ULP operation does not require any privilege. We recommend upgrading past commit 2c02d41d71f90a5168391b6a5f2954112ba2307c
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2023-01-24 CVE Reserved
- 2023-02-28 CVE Published
- 2023-03-10 EPSS Updated
- 2023-05-09 First Exploit
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-416: Use After Free
CAPEC
- CAPEC-233: Privilege Escalation
References (7)
| URL | Tag | Source |
|---|---|---|
| https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html | Third Party Advisory |
|
| https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html | Third Party Advisory |
|
| URL | Date | SRC |
|---|---|---|
| https://github.com/hshivhare67/kernel_v4.19.72_CVE-2023-0461 | 2023-05-09 |
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2023-0461 | 2023-07-18 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2176192 | 2023-07-18 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.13.0 < 4.14.303 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.13.0 < 4.14.303" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.19 < 4.19.270 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.19 < 4.19.270" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.4 < 5.4.229 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.4 < 5.4.229" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.10 < 5.10.163 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10 < 5.10.163" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.15 < 5.15.88 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 5.15.88" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.0 < 6.0.19 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.0 < 6.0.19" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.1 < 6.1.5 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1 < 6.1.5" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 6.2 Search vendor "Linux" for product "Linux Kernel" and version "6.2" | rc1 |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 6.2 Search vendor "Linux" for product "Linux Kernel" and version "6.2" | rc2 |
Affected
| ||||||