7.8

CVE-2023-53559

ip_vti: fix potential slab-use-after-free in decode_session6

In the Linux kernel, the following vulnerability has been resolved:

ip_vti: fix potential slab-use-after-free in decode_session6

When ip_vti device is set to the qdisc of the sfb type, the cb field
of the sent skb may be modified during enqueuing. Then,
slab-use-after-free may occur when ip_vti device sends IPv6 packets.
As commit f855691975bb ("xfrm6: Fix the nexthdr offset in
_decode_session6.") showed, xfrm_decode_session was originally intended
only for the receive path. IP6CB(skb)->nhoff is not set during
transmission. Therefore, set the cb field in the skb to 0 before
sending packets.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 3.19.1 < 4.14.324
LinuxLinux Kernel Version >= 4.15 < 4.19.293
LinuxLinux Kernel Version >= 4.20 < 5.4.255
LinuxLinux Kernel Version >= 5.5 < 5.10.192
LinuxLinux Kernel Version >= 5.11 < 5.15.128
LinuxLinux Kernel Version >= 5.16 < 6.1.47
LinuxLinux Kernel Version >= 6.2 < 6.4.12
LinuxLinux Kernel Version3.19 Update-
LinuxLinux Kernel Version3.19 Updaterc7
LinuxLinux Kernel Version6.5 Updaterc1
LinuxLinux Kernel Version6.5 Updaterc2
LinuxLinux Kernel Version6.5 Updaterc3
LinuxLinux Kernel Version6.5 Updaterc4
LinuxLinux Kernel Version6.5 Updaterc5
LinuxLinux Kernel Version6.5 Updaterc6
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.14% 0.036
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/82fb41c5de243e7dfa90f32ca58e35adaff56c1d
Patch
https://git.kernel.org/stable/c/7dfe23659f3677c08a60a0056cda2d91a79c15ca
Patch
https://git.kernel.org/stable/c/d34c30442d5e53a33cde79ca163320dbe2432cbd
Patch
https://git.kernel.org/stable/c/0b4d69539fdea138af2befe08893850c89248068
Patch
https://git.kernel.org/stable/c/e1e04cc2ef2c0c0866c19f5627149a76c2baae32
Patch
https://git.kernel.org/stable/c/2b05bf5dc437f7891dd409a3eaf5058459391c7a
Patch
https://git.kernel.org/stable/c/78e397a43e1c47321a4679cc49a6c4530bf820b9
Patch
https://git.kernel.org/stable/c/6018a266279b1a75143c7c0804dd08a5fc4c3e0b
Patch