CVE-2023-52974

scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress If during iscsi_sw_tcp_session_create() iscsi_tcp_r2tpool_alloc() fails,
userspace could be accessing the host's ipaddress attr. If we then free the
session via iscsi_session_teardown() while userspace is still accessing the
session we will hit a use after free bug. Set the tcp_sw_host->session after we have completed session creation and
can no longer fail.

A vulnerability was found in the Linux kernel's iscsi tcp drivers. Improper resource allocation management can lead to a use-after-free scenario, triggered when the userspace attempts to access the session host's `ipaddress` attribute while the kernel is performing a session teardown via `iscsi_session_teardown()`.

In the Linux kernel, the following vulnerability has been resolved: scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress If during iscsi_sw_tcp_session_create() iscsi_tcp_r2tpool_alloc() fails, userspace could be accessing the host's ipaddress attr. If we then free the session via iscsi_session_teardown() while userspace is still accessing the session we will hit a use after free bug. Set the tcp_sw_host->session after we have completed session creation and can no longer fail.

The SUSE Linux Enterprise 15 SP3 kernel was updated to receive various security bugfixes. The following security bugs were fixed.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2025-03-27 CVE Reserved
2025-03-27 CVE Published
2026-05-06 EPSS Updated
2026-05-11 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-416: Use After Free

CAPEC

References (10)

URL	Tag	Source
https://git.kernel.org/stable/c/a79af8a64d395bd89de8695a5ea5e1a7f01f02a8	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/496af9d3682ed4c28fb734342a09e6cc0c056ea4	2023-02-22
https://git.kernel.org/stable/c/6abd4698f4c8a78e7bbfc421205c060c199554a0	2023-02-22
https://git.kernel.org/stable/c/d4d765f4761f9e3a2d62992f825aeee593bcb6b9	2023-02-22
https://git.kernel.org/stable/c/9758ffe1c07b86aefd7ca8e40d9a461293427ca0	2023-02-15
https://git.kernel.org/stable/c/0aaabdb900c7415caa2006ef580322f7eac5f6b6	2023-02-09
https://git.kernel.org/stable/c/61e43ebfd243bcbad11be26bd921723027b77441	2023-02-09
https://git.kernel.org/stable/c/f484a794e4ee2a9ce61f52a78e810ac45f3fe3b3	2023-01-19

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2023-52974	2024-01-30
https://bugzilla.redhat.com/show_bug.cgi?id=2355469	2024-01-30

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.39 < 4.14.306 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.39 < 4.14.306"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.39 < 4.19.273 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.39 < 4.19.273"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.39 < 5.4.232 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.39 < 5.4.232"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.39 < 5.10.168 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.39 < 5.10.168"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.39 < 5.15.93 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.39 < 5.15.93"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.39 < 6.1.11 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.39 < 6.1.11"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.39 < 6.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.39 < 6.2"		en		Affected