PT-2023-4878 · Linux+6 · Linux Kernel+6

Bing-Jhong Billy Jheng

+1

·

Published

2023-07-29

·

Updated

2025-09-26

·

CVE-2023-4207

CVSS v3.1

7.8

High

VectorAV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)
Description A use-after-free vulnerability in the Linux kernel's net/sched: cls fw component can be exploited to achieve local privilege escalation. When fw change() is called on an existing filter, the whole tcf result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf unbind filter() is always called on the old instance in the success path, decreasing filter cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.
Recommendations Upgrade past commit 76e42ae831991c828cffa8c37736ebfb831ad5ec.

Exploit

Fix

LPE

Use After Free

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-416

Related Identifiers

ALSA-2023:7077
ALT-PU-2023-5748
ALT-PU-2023-5787
ALT-PU-2023-7004
ALT-PU-2023-8474
ALT-PU-2024-4263
ALT-PU-2024-4843
AZL-28678
BDU:2023-05369
CESA-2023_6901
CESA-2023_7077
CESA-2023_7423
CVE-2023-4207
DLA-3710-1
DSA-5492-1
OESA-2023-1634
OESA-2023-1635
OESA-2023-1636
OESA-2023-1637
OESA-2023-1638
RHSA-2023:5235
RHSA-2023:5238
RHSA-2023:5548
RHSA-2023:5575
RHSA-2023:5580
RHSA-2023:5588
RHSA-2023:5589
RHSA-2023:5603
RHSA-2023:5604
RHSA-2023:5627
RHSA-2023:5628
RHSA-2023:5775
RHSA-2023:5794
RHSA-2023:6583
RHSA-2023:6901
RHSA-2023:7077
RHSA-2023:7370
RHSA-2023:7379
RHSA-2023:7418
RHSA-2023:7419
RHSA-2023:7423
RHSA-2023:7424
RHSA-2023:7539
RHSA-2023:7558
RHSA-2023_6583
RHSA-2023_6901
RHSA-2023_7077
RHSA-2023_7423
RHSA-2023_7424
RHSA-2024:0261
RHSA-2024:0262

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Linux Kernel
Red Hat
Red Os