CVE-2023-4622

Use-after-free in Linux kernel's af_unix component

Severity Score

7.0

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A use-after-free vulnerability in the Linux kernel's af_unix component can be exploited to achieve local privilege escalation. The unix_stream_sendpage() function tries to add data to the last skb in the peer's recv queue without locking the queue. Thus there is a race where unix_stream_sendpage() could access an skb locklessly that is being released by garbage collection, resulting in use-after-free. We recommend upgrading past commit 790c2f9d15b594350ae9bca7b236f2b1859de02c.

Se puede explotar una vulnerabilidad de use-after-free en el componente Linux kernel's af_unix para lograr una escalada de privilegios local. La función unix_stream_sendpage() intenta añadir datos al último skb en la cola peer's recv sin bloquear la cola. Por lo tanto, existe una carrera donde unix_stream_sendpage() podría acceder a un skb sin bloqueo que está siendo liberado mediante la recolección de basura, resultando en use-after-free. Recomendamos actualizar después del commit 790c2f9d15b594350ae9bca7b236f2b1859de02c.

A use-after-free flaw was found in the Linux kernel's af_unix component that allows local privilege escalation. The unix_stream_sendpage() function tries to add data to the last skb in the peer's recv queue without locking the queue. This issue leads to a race condition where the unix_stream_sendpage() function could access a skb that is being released by garbage collection, resulting in a use-after-free issue.

This update for the Linux Kernel 5.14.21-150400_24_81 fixes several issues. The following security issues were fixed. Fixed use-after-free vulnerability in nf_tables can be exploited to achieve local privilege escalation. Fixed a use-after-free vulnerability in netfilter: nf_tables component can be exploited to achieve local privilege escalation. Fixed an use-after-free vulnerability in the fs/smb/client component which could be exploited to achieve local privilege escalation. Fixed a use-after-free vulnerability in the Unix domain sockets component which could be exploited to achieve local privilege escalation. Fixed an incorrect verifier pruning in BPF that could lead to unsafe code paths being incorrectly marked as safe, resulting in arbitrary read/write in kernel memory, lateral privilege escalation, and container escape.

*Credits: Billy Jheng Bing-Jhong

CVSS Scores

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

High

Attack Vector

Local

Attack Complexity

High

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-08-30 CVE Reserved
2023-09-06 CVE Published
2024-06-26 First Exploit
2025-02-13 CVE Updated
2025-04-15 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-416: Use After Free

CAPEC

CAPEC-233: Privilege Escalation

References (9)

URL	Tag	Source
http://packetstormsecurity.com/files/175963/Kernel-Live-Patch-Security-Notice-LSN-0099-1.html
https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html	Mailing List
https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html
https://www.debian.org/security/2023/dsa-5492	Third Party Advisory

URL	Date	SRC
https://github.com/0range1337/CVE-CVE-2023-4622	2024-06-26

URL	Date	SRC
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-6.1.y&id=790c2f9d15b594350ae9bca7b236f2b1859de02c	2024-01-11
https://kernel.dance/790c2f9d15b594350ae9bca7b236f2b1859de02c	2024-01-11

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2023-4622	2024-08-13
https://bugzilla.redhat.com/show_bug.cgi?id=2237760	2024-08-13

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.2 < 6.1.47 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.2 < 6.1.47"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				12.0 Search vendor "Debian" for product "Debian Linux" and version "12.0"		-		Affected