CVE-2023-0266

CVSS v3.1 7.8 (High)

EPSS 0.08 % (36^th)

Affected Products 1

Advisories 58

A use after free vulnerability exists in the ALSA PCM package in the Linux Kernel. SNDRV_CTL_IOCTL_ELEM_{READ|WRITE}32 is missing locks that can be used in a use-after-free that can result in a priviledge escalation to gain ring0 access from the system user. We recommend upgrading past commit 56b88b50565cd8b946a2d00b0c83927b7ebb055e

Weaknesses

CWE-416: Use After Free

CVE Status: PUBLISHED
CNA: Google Inc.
Published Date: 2023-01-30 14:15:10
(19 months ago)
Updated Date: 2023-08-29 17:59:37
(12 months ago)

Linux Kernel Use-After-Free Vulnerability (CISA - Known Exploited Vulnerabilities Catalog)

Description: Linux kernel contains a use-after-free vulnerability that allows for privilege escalation to gain ring0 access from the system user.
Required Action: Apply updates per vendor instructions.
Known to be Used in Ransomware Campaigns: Unknown
Notes: https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/tree/queue-5.10/alsa-pcm-move-rwsem-lock-inside-snd_ctl_elem_read-to-prevent-uaf.patch?id=72783cf35e6c55bca84c4bb7b776c58152856fd4; https://nvd.nist.gov/vuln/detail/CVE-2023-0266

Vendor: Linux
Product: Kernel
In CISA Catalog from: 2023-03-30
(17 months ago)
Due Date: 2023-04-20
(17 months ago)

Affected Products

Linux

Linux Kernel

Configuration #1

	CPE23	From	Up To
Linux Kernel from 4.14 version and prior 4.14.303 version	cpe:2.3:o:linux:linux_kernel	>= 4.14	< 4.14.303
Linux Kernel from 4.15 version and prior 4.19.270 version	cpe:2.3:o:linux:linux_kernel	>= 4.15	< 4.19.270
Linux Kernel from 4.20 version and prior 5.4.229 version	cpe:2.3:o:linux:linux_kernel	>= 4.20	< 5.4.229
Linux Kernel from 5.5 version and prior 5.10.163 version	cpe:2.3:o:linux:linux_kernel	>= 5.5	< 5.10.163
Linux Kernel from 5.11 version and prior 5.15.88 version	cpe:2.3:o:linux:linux_kernel	>= 5.11	< 5.15.88
Linux Kernel from 5.16 version and prior 6.1.6 version	cpe:2.3:o:linux:linux_kernel	>= 5.16	< 6.1.6