CVE-2023-28577
Multiple Dmabuf Kernel Address UAF Vulnerability
Severity Score
7.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Track*
*SSVC
Descriptions
In the function call related to CAM_REQ_MGR_RELEASE_BUF there is no check if the buffer is being used. So when a function called cam_mem_get_cpu_buf to get the kernel va to use, another thread can call CAM_REQ_MGR_RELEASE_BUF to unmap the kernel va which cause UAF of the kernel address.
En la llamada a la función CAM_REQ_MGR_RELEASE_BUF no se comprueba si el buffer está siendo utilizado. Así que cuando una función llama a cam_mem_get_cpu_buf para obtener la va del kernel a utilizar, otro hilo puede llamar a CAM_REQ_MGR_RELEASE_BUF para desasignar la va del kernel que causa UAF de la dirección del kernel.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Track*
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2023-03-17 CVE Reserved
- 2023-08-08 CVE Published
- 2024-08-02 CVE Updated
- 2025-04-15 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-416: Use After Free
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.qualcomm.com/company/product-security/bulletins/august-2023-bulletin | 2024-04-12 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Qualcomm Search vendor "Qualcomm" | Fastconnect 6800 Firmware Search vendor "Qualcomm" for product "Fastconnect 6800 Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Fastconnect 6800 Search vendor "Qualcomm" for product "Fastconnect 6800" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Fastconnect 6900 Firmware Search vendor "Qualcomm" for product "Fastconnect 6900 Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Fastconnect 6900 Search vendor "Qualcomm" for product "Fastconnect 6900" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Fastconnect 7800 Firmware Search vendor "Qualcomm" for product "Fastconnect 7800 Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Fastconnect 7800 Search vendor "Qualcomm" for product "Fastconnect 7800" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Qca6391 Firmware Search vendor "Qualcomm" for product "Qca6391 Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Qca6391 Search vendor "Qualcomm" for product "Qca6391" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Qca6426 Firmware Search vendor "Qualcomm" for product "Qca6426 Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Qca6426 Search vendor "Qualcomm" for product "Qca6426" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Qca6436 Firmware Search vendor "Qualcomm" for product "Qca6436 Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Qca6436 Search vendor "Qualcomm" for product "Qca6436" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Qcn9074 Firmware Search vendor "Qualcomm" for product "Qcn9074 Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Qcn9074 Search vendor "Qualcomm" for product "Qcn9074" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Qcs410 Firmware Search vendor "Qualcomm" for product "Qcs410 Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Qcs410 Search vendor "Qualcomm" for product "Qcs410" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Qcs610 Firmware Search vendor "Qualcomm" for product "Qcs610 Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Qcs610 Search vendor "Qualcomm" for product "Qcs610" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Sd865 5g Firmware Search vendor "Qualcomm" for product "Sd865 5g Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Sd865 5g Search vendor "Qualcomm" for product "Sd865 5g" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Snapdragon 8 Gen 1 Firmware Search vendor "Qualcomm" for product "Snapdragon 8 Gen 1 Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Snapdragon 8 Gen 1 Search vendor "Qualcomm" for product "Snapdragon 8 Gen 1" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Snapdragon 865 5g Firmware Search vendor "Qualcomm" for product "Snapdragon 865 5g Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Snapdragon 865 5g Search vendor "Qualcomm" for product "Snapdragon 865 5g" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Snapdragon 865\+ 5g Firmware Search vendor "Qualcomm" for product "Snapdragon 865\+ 5g Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Snapdragon 865\+ 5g Search vendor "Qualcomm" for product "Snapdragon 865\+ 5g" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Snapdragon 870 5g Firmware Search vendor "Qualcomm" for product "Snapdragon 870 5g Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Snapdragon 870 5g Search vendor "Qualcomm" for product "Snapdragon 870 5g" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Snapdragon X55 5g Firmware Search vendor "Qualcomm" for product "Snapdragon X55 5g Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Snapdragon X55 5g Search vendor "Qualcomm" for product "Snapdragon X55 5g" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Snapdragon Xr2 5g Firmware Search vendor "Qualcomm" for product "Snapdragon Xr2 5g Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Snapdragon Xr2 5g Search vendor "Qualcomm" for product "Snapdragon Xr2 5g" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Sw5100 Firmware Search vendor "Qualcomm" for product "Sw5100 Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Sw5100 Search vendor "Qualcomm" for product "Sw5100" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Sw5100p Firmware Search vendor "Qualcomm" for product "Sw5100p Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Sw5100p Search vendor "Qualcomm" for product "Sw5100p" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Sxr2130 Firmware Search vendor "Qualcomm" for product "Sxr2130 Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Sxr2130 Search vendor "Qualcomm" for product "Sxr2130" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Wcd9341 Firmware Search vendor "Qualcomm" for product "Wcd9341 Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Wcd9341 Search vendor "Qualcomm" for product "Wcd9341" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Wcd9370 Firmware Search vendor "Qualcomm" for product "Wcd9370 Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Wcd9370 Search vendor "Qualcomm" for product "Wcd9370" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Wcd9380 Firmware Search vendor "Qualcomm" for product "Wcd9380 Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Wcd9380 Search vendor "Qualcomm" for product "Wcd9380" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Wcn3660b Firmware Search vendor "Qualcomm" for product "Wcn3660b Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Wcn3660b Search vendor "Qualcomm" for product "Wcn3660b" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Wcn3680b Firmware Search vendor "Qualcomm" for product "Wcn3680b Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Wcn3680b Search vendor "Qualcomm" for product "Wcn3680b" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Wcn3950 Firmware Search vendor "Qualcomm" for product "Wcn3950 Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Wcn3950 Search vendor "Qualcomm" for product "Wcn3950" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Wcn3980 Firmware Search vendor "Qualcomm" for product "Wcn3980 Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Wcn3980 Search vendor "Qualcomm" for product "Wcn3980" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Wcn3988 Firmware Search vendor "Qualcomm" for product "Wcn3988 Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Wcn3988 Search vendor "Qualcomm" for product "Wcn3988" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Wsa8810 Firmware Search vendor "Qualcomm" for product "Wsa8810 Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Wsa8810 Search vendor "Qualcomm" for product "Wsa8810" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Wsa8815 Firmware Search vendor "Qualcomm" for product "Wsa8815 Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Wsa8815 Search vendor "Qualcomm" for product "Wsa8815" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Wsa8830 Firmware Search vendor "Qualcomm" for product "Wsa8830 Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Wsa8830 Search vendor "Qualcomm" for product "Wsa8830" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Wsa8835 Firmware Search vendor "Qualcomm" for product "Wsa8835 Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Wsa8835 Search vendor "Qualcomm" for product "Wsa8835" | - | - |
Safe
|