PT-2023-3671 · Linux+5 · Linux Kernel+5

Published

2023-05-16

·

Updated

2025-01-13

·

CVE-2023-38428

CVSS v2.0

9.4

Critical

VectorAV:N/AC:L/Au:N/C:C/I:N/A:C
Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.3.4
Description The issue is related to the function session user() in the fs/ksmbd/smb2pdu.c module of the Linux kernel's KSMBD file system. It involves an out-of-bounds read due to improper checking of the UserName value, which does not consider the address of the security buffer. This could allow a remote attacker to access protected information or cause a denial of service.
Recommendations For Linux kernel versions prior to 6.3.4, update to version 6.3.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the fs/ksmbd/smb2pdu.c module until a patch is available. Avoid using the UserName value in the affected session user() function until the issue is resolved.

Fix

Out of bounds Read

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-125

Related Identifiers

ALT-PU-2023-4663
ALT-PU-2024-4263
ALT-PU-2024-4843
AZL-27537
BDU:2023-03955
CVE-2023-38428
OESA-2023-1467
OESA-2023-1468
OESA-2023-1471
USN-6338-1
USN-6338-2
USN-6339-1
USN-6339-2
USN-6339-3
USN-6339-4
USN-6344-1
USN-6350-1
USN-6351-1

Affected Products

Alt Linux
Astra Linux
Linuxmint
Linux Kernel
Red Os
Ubuntu