CVE-2023-52462

bpf: fix check for attempt to corrupt spilled pointer

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: bpf: fix check for attempt to corrupt spilled pointer When register is spilled onto a stack as a 1/2/4-byte register, we set
slot_type[BPF_REG_SIZE - 1] (plus potentially few more below it,
depending on actual spill size). So to check if some stack slot has
spilled register we need to consult slot_type[7], not slot_type[0]. To avoid the need to remember and double-check this in the future, just
use is_spilled_reg() helper.

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: bpf: revisión de corrección para intentar dañar el puntero derramado Cuando el registro se derrama en una pila como un registro de 1/2/4 bytes, configuramos slot_type[BPF_REG_SIZE - 1] (más potencialmente algunos más debajo de él, dependiendo del tamaño real del derrame). Entonces, para verificar si alguna ranura de la pila se ha desbordado, debemos consultar slot_type[7], no slot_type[0]. Para evitar la necesidad de recordar y volver a verificar esto en el futuro, simplemente use el asistente is_spilled_reg().

A flaw was found in the Linux kernel. When the register is spilled onto a stack as a 1/2/4-byte register, the slot_type[BPF_REG_SIZE - 1] is set, possibly including a few more below it, depending on the actual spill size. To confirm if some stack slots have a spilled register, consult slot_type[7], not slot_type[0]. To avoid the need to remember and double-check this in the future, use the is_spilled_reg() helper.

In the Linux kernel, the following vulnerability has been resolved: bpf: fix check for attempt to corrupt spilled pointer When register is spilled onto a stack as a 1/2/4-byte register, we set slot_type[BPF_REG_SIZE - 1] (plus potentially few more below it, depending on actual spill size). So to check if some stack slot has spilled register we need to consult slot_type[7], not slot_type[0]. To avoid the need to remember and double-check this in the future, just use is_spilled_reg() helper.

Alon Zahavi discovered that the NVMe-oF/TCP subsystem in the Linux kernel did not properly validate H2C PDU data, leading to a null pointer dereference vulnerability. A remote attacker could use this to cause a denial of service. Sander Wiebing, Alvise de Faveri Tron, Herbert Bos, and Cristiano Giuffrida discovered that the Linux kernel mitigations for the initial Branch History Injection vulnerability were insufficient for Intel processors. A local attacker could potentially use this to expose sensitive information.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

Complete

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-20 CVE Reserved
2024-02-23 CVE Published
2025-05-04 CVE Updated
2025-06-28 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-476: NULL Pointer Dereference

CAPEC

References (12)

URL	Tag	Source
https://git.kernel.org/stable/c/cdd73a5ed0840da88a3b9ad353f568e6f156d417	Vuln. Introduced
https://git.kernel.org/stable/c/07c286c10a9cedbd71f20269ff3a4e73d9aab2fe	Vuln. Introduced
https://git.kernel.org/stable/c/27113c59b6d0a587b29ae72d4ff3f832f58b0651	Vuln. Introduced
https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/2757f17972d87773b3677777f5682510f13c66ef	2024-01-25
https://git.kernel.org/stable/c/67e6707f07354ed1acb4e65552e97c60cf9d69cf	2024-01-25
https://git.kernel.org/stable/c/fc3e3c50a0a4cac1463967c110686189e4a59104	2024-01-25
https://git.kernel.org/stable/c/8dc15b0670594543c356567a1a45b0182ec63174	2024-01-25
https://git.kernel.org/stable/c/40617d45ea05535105e202a8a819e388a2b1f036	2024-01-25
https://git.kernel.org/stable/c/ab125ed3ec1c10ccc36bc98c7a4256ad114a3dae	2023-12-05

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2023-52462	2024-11-12
https://bugzilla.redhat.com/show_bug.cgi?id=2265798	2024-11-12

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.10.163 < 5.10.209 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10.163 < 5.10.209"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15.86 < 5.15.148 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15.86 < 5.15.148"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.16 < 6.1.75 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.16 < 6.1.75"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.16 < 6.6.14 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.16 < 6.6.14"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.16 < 6.7.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.16 < 6.7.2"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.16 < 6.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.16 < 6.8"		en		Affected