CVE-2023-2235

Source
https://nvd.nist.gov/vuln/detail/CVE-2023-2235
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-2235.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-2235
Related
Published
2023-05-01T13:15:44Z
Modified
2024-09-18T01:00:21Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A use-after-free vulnerability in the Linux Kernel Performance Events system can be exploited to achieve local privilege escalation.

The perfgroupdetach function did not check the event's siblings' attachstate before calling addeventtogroups(), but removeonexec made it possible to call listdelevent() on before detaching from their group, making it possible to use a dangling pointer causing a use-after-free vulnerability.

We recommend upgrading past commit fd0815f632c24878e325821943edccc7fde947a2.

References

Affected packages

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.25-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.25-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}