PT-2023-8000 · Linux+8 · Linux Kernel+8

Nassim Asrir

·

Published

2023-08-11

·

Updated

2026-04-09

·

CVE-2023-6546

CVSS v3.1

7.0

High

VectorAV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)
Description A race condition was found in the GSM 0710 tty multiplexor in the Linux kernel. This issue occurs when two threads execute the GSMIOC SETCONF ioctl on the same tty file descriptor with the gsm line discipline enabled, and can lead to a use-after-free problem on a struct gsm dlci while restarting the gsm mux. This could allow a local unprivileged user to escalate their privileges on the system. The exploit bypasses KASLR by leaking the kernel address from world-readable /sys/kernel/notes. To bypass SMAP, the author used a novel technique of filling the kernfs pr cont buf global variable with controlled data from userspace.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Race Condition

Use After Free

Time Of Check To Time Of Use

Weakness Enumeration

CWE-366CWE-362CWE-416CWE-367

Related Identifiers

ALSA-2024:1607
ALSA-2024:2394
ALT-PU-2024-14046
ALT-PU-2024-6818
AZL-32284
BDU:2023-09114
CESA-2024_1607
CESA-2024_1612
CESA-2024_1614
CVE-2023-6546
INFSA-2024_2394
OESA-2023-1990
OESA-2024-1035
OPENSUSE-SU-2024_0156-1
OPENSUSE-SU-2024_3623-1
OPENSUSE-SU-2024_3631-1
OPENSUSE-SU-2024_3651-1
OPENSUSE-SU-2024_3694-1
OPENSUSE-SU-2024_3695-1
OPENSUSE-SU-2024_3697-1
OPENSUSE-SU-2024_3793-1
OPENSUSE-SU-2024_3798-1
OPENSUSE-SU-2024_3815-1
OPENSUSE-SU-2024_3829-1
OPENSUSE-SU-2024_3837-1
OPENSUSE-SU-2024_3842-1
OPENSUSE-SU-2024_3852-1
OPENSUSE-SU-2024_4122-1
OPENSUSE-SU-2024_4123-1
OPENSUSE-SU-2024_4214-1
OPENSUSE-SU-2024_4218-1
OPENSUSE-SU-2024_4234-1
OPENSUSE-SU-2024_4256-1
OPENSUSE-SU-2024_4266-1
OPENSUSE-SU-2025_0101-1
OPENSUSE-SU-2025_0107-1
OPENSUSE-SU-2025_0109-1
OPENSUSE-SU-2025_0115-1
OPENSUSE-SU-2025_0158-1
OPENSUSE-SU-2025_0244-1
OPENSUSE-SU-2025_0251-1
OPENSUSE-SU-2025_0252-1
OPENSUSE-SU-2025_0261-1
OPENSUSE-SU-2025_0266-1
RHSA-2024:0930
RHSA-2024:0937
RHSA-2024:1018
RHSA-2024:1019
RHSA-2024:1055
RHSA-2024:1250
RHSA-2024:1253
RHSA-2024:1306
RHSA-2024:1607
RHSA-2024:1612
RHSA-2024:1614
RHSA-2024:2394
RHSA-2024:2621
RHSA-2024:2697
RHSA-2024:4577
RHSA-2024:4729
RHSA-2024:4731
RHSA-2024:4970
RHSA-2024_1607
RHSA-2024_1614
RHSA-2024_2394
RLSA-2024:1607
RLSA-2024:1614
RXSA-2024:1607
SUSE-SU-2024:0115-1
SUSE-SU-2024:0129-1
SUSE-SU-2024:0141-1
SUSE-SU-2024:0156-1
SUSE-SU-2024:0160-1
SUSE-SU-2024:1677-1
SUSE-SU-2024:1679-1
SUSE-SU-2024:1680-1
SUSE-SU-2024:1682-1
SUSE-SU-2024:1685-1
SUSE-SU-2024:1686-1
SUSE-SU-2024:1692-1
SUSE-SU-2024:1694-1
SUSE-SU-2024:1695-1
SUSE-SU-2024:1696-1
SUSE-SU-2024:1705-1
SUSE-SU-2024:1706-1
SUSE-SU-2024:1707-1
SUSE-SU-2024:1708-1
SUSE-SU-2024:1709-1
SUSE-SU-2024:1711-1
SUSE-SU-2024:1712-1
SUSE-SU-2024:1713-1
SUSE-SU-2024:1719-1
SUSE-SU-2024:1720-1
SUSE-SU-2024:1723-1
SUSE-SU-2024:1726-1
SUSE-SU-2024:1729-1
SUSE-SU-2024:1731-1
SUSE-SU-2024:1732-1
SUSE-SU-2024:1735-1
SUSE-SU-2024:1736-1
SUSE-SU-2024:1739-1
SUSE-SU-2024:1740-1
SUSE-SU-2024:1742-1
SUSE-SU-2024:1746-1
SUSE-SU-2024:1748-1
SUSE-SU-2024:1749-1
SUSE-SU-2024:1751-1
SUSE-SU-2024:1753-1
SUSE-SU-2024:1757-1
SUSE-SU-2024:1759-1
SUSE-SU-2024:2092-1
SUSE-SU-2024:2100-1
SUSE-SU-2024:2120-1
SUSE-SU-2024:2130-1
SUSE-SU-2024:2148-1
SUSE-SU-2024:2162-1
SUSE-SU-2024:2163-1
SUSE-SU-2024:2207-1
SUSE-SU-2024:2208-1
SUSE-SU-2024:2337-1
SUSE-SU-2024:2343-1
SUSE-SU-2024:2373-1
SUSE-SU-2024:2382-1
SUSE-SU-2024:2446-1
SUSE-SU-2024:2447-1
SUSE-SU-2024:2472-1
SUSE-SU-2024:2558-1
SUSE-SU-2024:2722-1
SUSE-SU-2024:2740-1
SUSE-SU-2024:2751-1
SUSE-SU-2024:2755-1
SUSE-SU-2024:2821-1
SUSE-SU-2024:2824-1
SUSE-SU-2024:2840-1
SUSE-SU-2024:2850-1
SUSE-SU-2024:2851-1
SUSE-SU-2024:3034-1
SUSE-SU-2024:3037-1
SUSE-SU-2024:3043-1
SUSE-SU-2024:3318-1
SUSE-SU-2024:3347-1
SUSE-SU-2024:3368-1
SUSE-SU-2024:3379-1
SUSE-SU-2024:3399-1
SUSE-SU-2024:3623-1
SUSE-SU-2024:3631-1
SUSE-SU-2024:3642-1
SUSE-SU-2024:3651-1
SUSE-SU-2024:3662-1
SUSE-SU-2024:3694-1
SUSE-SU-2024:3695-1
SUSE-SU-2024:3697-1
SUSE-SU-2024:3793-1
SUSE-SU-2024:3798-1
SUSE-SU-2024:3803-1
SUSE-SU-2024:3815-1
SUSE-SU-2024:3820-1
SUSE-SU-2024:3829-1
SUSE-SU-2024:3837-1
SUSE-SU-2024:3842-1
SUSE-SU-2024:3852-1
SUSE-SU-2024:4122-1
SUSE-SU-2024:4123-1
SUSE-SU-2024:4214-1
SUSE-SU-2024:4218-1
SUSE-SU-2024:4226-1
SUSE-SU-2024:4234-1
SUSE-SU-2024:4242-1
SUSE-SU-2024:4256-1
SUSE-SU-2024:4266-1
SUSE-SU-2025:0101-1
SUSE-SU-2025:0103-1
SUSE-SU-2025:0107-1
SUSE-SU-2025:0109-1
SUSE-SU-2025:0115-1
SUSE-SU-2025:0158-1
SUSE-SU-2025:0244-1
SUSE-SU-2025:0251-1
SUSE-SU-2025:0252-1
SUSE-SU-2025:0261-1
SUSE-SU-2025:0266-1
ZDI-24-020

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Linux Kernel
Red Hat
Red Os
Rocky Linux
Suse