CVE-2023-0461

Use-after-free vulnerability in the Linux Kernel

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

NVD
RedHat

There is a use-after-free vulnerability in the Linux Kernel which can be exploited to achieve local privilege escalation. To reach the vulnerability kernel configuration flag CONFIG_TLS or CONFIG_XFRM_ESPINTCP has to be configured, but the operation does not require any privilege.

There is a use-after-free bug of icsk_ulp_data of a struct inet_connection_sock.

When CONFIG_TLS is enabled, user can install a tls context (struct tls_context) on a connected tcp socket. The context is not cleared if this socket is disconnected and reused as a listener. If a new socket is created from the listener, the context is inherited and vulnerable.

The setsockopt TCP_ULP operation does not require any privilege.

We recommend upgrading past commit 2c02d41d71f90a5168391b6a5f2954112ba2307c

A use-after-free flaw was found in the Linux kernel’s TLS protocol functionality in how a user installs a tls context (struct tls_context) on a connected TCP socket. This flaw allows a local user to crash or potentially escalate their privileges on the system.

*Credits: slipper

CVSS Scores

NISTv3.1 7.8

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-01-24 CVE Reserved
2023-02-28 CVE Published
2023-03-10 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-416: Use After Free

CAPEC

CAPEC-233: Privilege Escalation

References (6)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2c02d41d71f90a5168391b6a5f2954112ba2307c	2023-06-06
https://kernel.dance/#2c02d41d71f90a5168391b6a5f2954112ba2307c	2023-06-06

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2023-0461	2023-07-18
https://bugzilla.redhat.com/show_bug.cgi?id=2176192	2023-07-18

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.13.0 < 4.14.303 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.13.0 < 4.14.303"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.19 < 4.19.270 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.19 < 4.19.270"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.4 < 5.4.229 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.4 < 5.4.229"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.10 < 5.10.163 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10 < 5.10.163"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15 < 5.15.88 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 5.15.88"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.0 < 6.0.19 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.0 < 6.0.19"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1 < 6.1.5 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1 < 6.1.5"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				6.2 Search vendor "Linux" for product "Linux Kernel" and version "6.2"		rc1		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				6.2 Search vendor "Linux" for product "Linux Kernel" and version "6.2"		rc2		Affected