CVE-2023-3389

Source
https://cve.org/CVERecord?id=CVE-2023-3389
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-3389.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-3389
Downstream
Related
Published
2023-06-28T20:15:09.773Z
Modified
2026-02-18T07:43:45.642933Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A use-after-free vulnerability in the Linux Kernel io_uring subsystem can be exploited to achieve local privilege escalation.

Racing a io_uring cancel poll request with a linked timeout can cause a UAF in a hrtimer.

We recommend upgrading past commit ef7dfac51d8ed961b742218f526bd589f3900a59 (4716c73b188566865bdd79c3a6709696a224ac04 for 5.10 stable and 0e388fce7aec40992eadee654193cad345d62663 for 5.15 stable).

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
ef7dfac51d8ed961b742218f526bd589f3900a59
Introduced
62fb9874f5da54fdb243003b386128037319b219
Fixed
6995e2de6891c724bfeb2db33d7b87775f913ad1

Affected versions

v5.*
v5.13
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8
v6.*
v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-3389.json"
vanir_signatures
[
    {
        "id": "CVE-2023-3389-34baa251",
        "target": {
            "file": "io_uring/poll.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git@ef7dfac51d8ed961b742218f526bd589f3900a59",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "278588113914745517808740556227594507021",
                "73046291519684130191683710637768709373",
                "210025653268519512683532290658618060184",
                "754909547039567863414016362491632737",
                "293049860967988268144638968642566214971",
                "247433946078455229983807403241558271972",
                "260526684861337196883186184664651395848",
                "312567496053776785240078287241302432243",
                "187598025401386908499375883195138640270",
                "76392564378128682309357753513686311373",
                "154593003097652128699139603987494268784",
                "208032416892141878656586351275639847209",
                "218418832906289954110692803464417236034",
                "149867251978776734065666720909653544419",
                "280859379737553394209771330311275435254",
                "165326914582049309063744114708809192438",
                "39846771478149919520930009006185720463",
                "237613219638099002414239529778292855702",
                "71851461832642545410880017246608928111",
                "259038816126253098317323184286926857191",
                "188679292593780271758953468242795889366",
                "258061951101836317298316349190691842616",
                "130002588735475192043231253208547553616"
            ]
        },
        "signature_type": "Line"
    },
    {
        "id": "CVE-2023-3389-d696e342",
        "target": {
            "function": "io_poll_remove",
            "file": "io_uring/poll.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git@ef7dfac51d8ed961b742218f526bd589f3900a59",
        "digest": {
            "function_hash": "296319019688382189243133466812869415954",
            "length": 1571.0
        },
        "signature_type": "Function"
    }
]