CVE-2023-5345

Use-after-free in Linux kernel's fs/smb/client component

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

A use-after-free vulnerability in the Linux kernel's fs/smb/client component can be exploited to achieve local privilege escalation. In case of an error in smb3_fs_context_parse_param, ctx->password was freed but the field was not set to NULL which could lead to double free. We recommend upgrading past commit e6e43b8aa7cd3c3af686caf0c2e11819a886d705.

Se puede explotar una vulnerabilidad de use-after-free en el componente fs/smb/client del kernel de Linux para lograr una escalada de privilegios local. En caso de un error en smb3_fs_context_parse_param, se liberó ctx->password pero el campo no se configuró en NULL, lo que podría provocar una doble liberación. Recomendamos actualizar al commit anterior e6e43b8aa7cd3c3af686caf0c2e11819a886d705.

A flaw was found in the SMB client component in the Linux kernel. In case of an error in smb3_fs_context_parse_param, `ctx->password` was freed, but the field was not set to NULL, potentially leading to a use-after-free vulnerability. This flaw allows a local user to crash or potentially escalate their privileges on the system.

This update for the Linux Kernel 5.14.21-150400_24_81 fixes several issues. The following security issues were fixed. Fixed use-after-free vulnerability in nf_tables can be exploited to achieve local privilege escalation. Fixed a use-after-free vulnerability in netfilter: nf_tables component can be exploited to achieve local privilege escalation. Fixed an use-after-free vulnerability in the fs/smb/client component which could be exploited to achieve local privilege escalation. Fixed a use-after-free vulnerability in the Unix domain sockets component which could be exploited to achieve local privilege escalation. Fixed an incorrect verifier pruning in BPF that could lead to unsafe code paths being incorrectly marked as safe, resulting in arbitrary read/write in kernel memory, lateral privilege escalation, and container escape.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2023-10-02 CVE Reserved
2023-10-03 CVE Published
2025-02-27 CVE Updated
2025-04-15 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-416: Use After Free

CAPEC

CAPEC-233: Privilege Escalation

References (8)

URL	Tag	Source
http://packetstormsecurity.com/files/177029/Kernel-Live-Patch-Security-Notice-LSN-0100-1.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GISYSL3F6WIEVGHJGLC2MFNTUXHPTKQH	Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GPMICQ2HVZO5UAM5KPXHAZKA2U3ZDOO6	Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V5PDNWPKAP3WL5RQZ4RIDS6MG32OHH5R	Mailing List

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e6e43b8aa7cd3c3af686caf0c2e11819a886d705	2024-02-08
https://kernel.dance/e6e43b8aa7cd3c3af686caf0c2e11819a886d705	2024-02-08

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2023-5345	2023-12-12
https://bugzilla.redhat.com/show_bug.cgi?id=2242172	2023-12-12

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.6 Search vendor "Linux" for product "Linux Kernel" and version " < 6.6"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				6.6 Search vendor "Linux" for product "Linux Kernel" and version "6.6"		rc1		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				6.6 Search vendor "Linux" for product "Linux Kernel" and version "6.6"		rc2		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				6.6 Search vendor "Linux" for product "Linux Kernel" and version "6.6"		rc3		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				37 Search vendor "Fedoraproject" for product "Fedora" and version "37"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				38 Search vendor "Fedoraproject" for product "Fedora" and version "38"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				39 Search vendor "Fedoraproject" for product "Fedora" and version "39"		-		Affected