CVE-2023-28577
Multiple Dmabuf Kernel Address UAF Vulnerability
Severity Score
7.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Track*
*SSVC
Descriptions
In the function call related to CAM_REQ_MGR_RELEASE_BUF there is no check if the buffer is being used. So when a function called cam_mem_get_cpu_buf to get the kernel va to use, another thread can call CAM_REQ_MGR_RELEASE_BUF to unmap the kernel va which cause UAF of the kernel address.
En la llamada a la función CAM_REQ_MGR_RELEASE_BUF no se comprueba si el buffer está siendo utilizado. Así que cuando una función llama a cam_mem_get_cpu_buf para obtener la va del kernel a utilizar, otro hilo puede llamar a CAM_REQ_MGR_RELEASE_BUF para desasignar la va del kernel que causa UAF de la dirección del kernel.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Track*
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2023-03-17 CVE Reserved
- 2023-08-08 CVE Published
- 2023-08-09 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-416: Use After Free
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.qualcomm.com/company/product-security/bulletins/august-2023-bulletin | 2024-04-12 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Qualcomm Search vendor "Qualcomm" | Fastconnect 6800 Firmware Search vendor "Qualcomm" for product "Fastconnect 6800 Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Fastconnect 6800 Search vendor "Qualcomm" for product "Fastconnect 6800" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Fastconnect 6900 Firmware Search vendor "Qualcomm" for product "Fastconnect 6900 Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Fastconnect 6900 Search vendor "Qualcomm" for product "Fastconnect 6900" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Fastconnect 7800 Firmware Search vendor "Qualcomm" for product "Fastconnect 7800 Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Fastconnect 7800 Search vendor "Qualcomm" for product "Fastconnect 7800" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Qca6391 Firmware Search vendor "Qualcomm" for product "Qca6391 Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Qca6391 Search vendor "Qualcomm" for product "Qca6391" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Qca6426 Firmware Search vendor "Qualcomm" for product "Qca6426 Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Qca6426 Search vendor "Qualcomm" for product "Qca6426" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Qca6436 Firmware Search vendor "Qualcomm" for product "Qca6436 Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Qca6436 Search vendor "Qualcomm" for product "Qca6436" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Qcn9074 Firmware Search vendor "Qualcomm" for product "Qcn9074 Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Qcn9074 Search vendor "Qualcomm" for product "Qcn9074" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Qcs410 Firmware Search vendor "Qualcomm" for product "Qcs410 Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Qcs410 Search vendor "Qualcomm" for product "Qcs410" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Qcs610 Firmware Search vendor "Qualcomm" for product "Qcs610 Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Qcs610 Search vendor "Qualcomm" for product "Qcs610" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Sd865 5g Firmware Search vendor "Qualcomm" for product "Sd865 5g Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Sd865 5g Search vendor "Qualcomm" for product "Sd865 5g" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Snapdragon 8 Gen 1 Firmware Search vendor "Qualcomm" for product "Snapdragon 8 Gen 1 Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Snapdragon 8 Gen 1 Search vendor "Qualcomm" for product "Snapdragon 8 Gen 1" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Snapdragon 865 5g Firmware Search vendor "Qualcomm" for product "Snapdragon 865 5g Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Snapdragon 865 5g Search vendor "Qualcomm" for product "Snapdragon 865 5g" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Snapdragon 865\+ 5g Firmware Search vendor "Qualcomm" for product "Snapdragon 865\+ 5g Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Snapdragon 865\+ 5g Search vendor "Qualcomm" for product "Snapdragon 865\+ 5g" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Snapdragon 870 5g Firmware Search vendor "Qualcomm" for product "Snapdragon 870 5g Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Snapdragon 870 5g Search vendor "Qualcomm" for product "Snapdragon 870 5g" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Snapdragon X55 5g Firmware Search vendor "Qualcomm" for product "Snapdragon X55 5g Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Snapdragon X55 5g Search vendor "Qualcomm" for product "Snapdragon X55 5g" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Snapdragon Xr2 5g Firmware Search vendor "Qualcomm" for product "Snapdragon Xr2 5g Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Snapdragon Xr2 5g Search vendor "Qualcomm" for product "Snapdragon Xr2 5g" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Sw5100 Firmware Search vendor "Qualcomm" for product "Sw5100 Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Sw5100 Search vendor "Qualcomm" for product "Sw5100" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Sw5100p Firmware Search vendor "Qualcomm" for product "Sw5100p Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Sw5100p Search vendor "Qualcomm" for product "Sw5100p" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Sxr2130 Firmware Search vendor "Qualcomm" for product "Sxr2130 Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Sxr2130 Search vendor "Qualcomm" for product "Sxr2130" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Wcd9341 Firmware Search vendor "Qualcomm" for product "Wcd9341 Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Wcd9341 Search vendor "Qualcomm" for product "Wcd9341" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Wcd9370 Firmware Search vendor "Qualcomm" for product "Wcd9370 Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Wcd9370 Search vendor "Qualcomm" for product "Wcd9370" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Wcd9380 Firmware Search vendor "Qualcomm" for product "Wcd9380 Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Wcd9380 Search vendor "Qualcomm" for product "Wcd9380" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Wcn3660b Firmware Search vendor "Qualcomm" for product "Wcn3660b Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Wcn3660b Search vendor "Qualcomm" for product "Wcn3660b" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Wcn3680b Firmware Search vendor "Qualcomm" for product "Wcn3680b Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Wcn3680b Search vendor "Qualcomm" for product "Wcn3680b" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Wcn3950 Firmware Search vendor "Qualcomm" for product "Wcn3950 Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Wcn3950 Search vendor "Qualcomm" for product "Wcn3950" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Wcn3980 Firmware Search vendor "Qualcomm" for product "Wcn3980 Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Wcn3980 Search vendor "Qualcomm" for product "Wcn3980" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Wcn3988 Firmware Search vendor "Qualcomm" for product "Wcn3988 Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Wcn3988 Search vendor "Qualcomm" for product "Wcn3988" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Wsa8810 Firmware Search vendor "Qualcomm" for product "Wsa8810 Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Wsa8810 Search vendor "Qualcomm" for product "Wsa8810" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Wsa8815 Firmware Search vendor "Qualcomm" for product "Wsa8815 Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Wsa8815 Search vendor "Qualcomm" for product "Wsa8815" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Wsa8830 Firmware Search vendor "Qualcomm" for product "Wsa8830 Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Wsa8830 Search vendor "Qualcomm" for product "Wsa8830" | - | - |
Safe
|
| Qualcomm Search vendor "Qualcomm" | Wsa8835 Firmware Search vendor "Qualcomm" for product "Wsa8835 Firmware" | - | - |
Affected
| in | Qualcomm Search vendor "Qualcomm" | Wsa8835 Search vendor "Qualcomm" for product "Wsa8835" | - | - |
Safe
|