PT-2023-2590 · Linux+10 · Linux Kernel+10
Budimir Markovic
·
Publicado
2023-03-15
·
Atualizado
2024-04-15
·
CVE-2023-2235
CVSS v3.1
7.8
Alta
| Vetor | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Linux Kernel (affected versions not specified)
Description
A use-after-free vulnerability in the Linux Kernel Performance Events system can be exploited to achieve local privilege escalation. The
perf group detach function did not check the event's siblings' attach state before calling add event to groups(), but remove on exec made it possible to call list del event() on before detaching from their group, making it possible to use a dangling pointer causing a use-after-free vulnerability.Recommendations
Upgrade past commit fd0815f632c24878e325821943edccc7fde947a2 to resolve the issue. As a temporary workaround, consider restricting access to the
perf group detach function until a patch is available.Correção
LPE
Use After Free
NULL Pointer Dereference
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Alt Linux
Almalinux
Astra Linux
Centos
Linux Kernel
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu