CVE-2023-39198
Kernel: qxl: race condition leading to use-after-free in qxl_mode_dumb_create()
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A race condition was found in the QXL driver in the Linux kernel. The qxl_mode_dumb_create() function dereferences the qobj returned by the qxl_gem_object_create_with_handle(), but the handle is the only one holding a reference to it. This flaw allows an attacker to guess the returned handle value and trigger a use-after-free issue, potentially leading to a denial of service or privilege escalation.
Se encontró una condición de ejecución en el controlador QXL del kernel de Linux. La función qxl_mode_dumb_create() desreferencia el qobj devuelto por qxl_gem_object_create_with_handle(), pero el identificador es el único que contiene una referencia a él. Esta falla permite a un atacante adivinar el valor de identificador devuelto y desencadenar un problema de use-after-free, lo que podría provocar una denegación de servicio o una escalada de privilegios.
This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel. An attacker must first obtain the ability to execute high-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the QXL VGA driver. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel.
CVSS Scores
SSVC
- Decision:Track*
Timeline
- 2023-07-25 CVE Reserved
- 2023-11-09 CVE Published
- 2024-08-26 EPSS Updated
- 2024-09-13 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-416: Use After Free
CAPEC
References (6)
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://bugzilla.redhat.com/show_bug.cgi?id=2218332 | 2024-05-22 |
URL | Date | SRC |
---|---|---|
https://access.redhat.com/errata/RHSA-2024:2394 | 2024-06-25 | |
https://access.redhat.com/errata/RHSA-2024:2950 | 2024-06-25 | |
https://access.redhat.com/errata/RHSA-2024:3138 | 2024-06-25 | |
https://access.redhat.com/security/cve/CVE-2023-39198 | 2024-05-22 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | < 6.5 Search vendor "Linux" for product "Linux Kernel" and version " < 6.5" | - |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 6.5 Search vendor "Linux" for product "Linux Kernel" and version "6.5" | rc1 |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 6.5 Search vendor "Linux" for product "Linux Kernel" and version "6.5" | rc2 |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 6.5 Search vendor "Linux" for product "Linux Kernel" and version "6.5" | rc3 |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 6.5 Search vendor "Linux" for product "Linux Kernel" and version "6.5" | rc4 |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 6.5 Search vendor "Linux" for product "Linux Kernel" and version "6.5" | rc5 |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 6.5 Search vendor "Linux" for product "Linux Kernel" and version "6.5" | rc6 |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 38 Search vendor "Fedoraproject" for product "Fedora" and version "38" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 9.0 Search vendor "Redhat" for product "Enterprise Linux" and version "9.0" | - |
Affected
|