First published: Sun Feb 26 2023(Updated: )
A flaw found in the Linux Kernel. The missing check causes a type confusion when issuing a list_entry() on an empty report_list. The problem is caused by the assumption that the device must have valid report_list. While this will be true for all normal HID devices, a suitably malicious device can violate the assumption. References: <a href="https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=b12fece4c64857e5fab4290bf01b2e0317a88456">https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=b12fece4c64857e5fab4290bf01b2e0317a88456</a> <a href="https://www.openwall.com/lists/oss-security/2023/01/17/3">https://www.openwall.com/lists/oss-security/2023/01/17/3</a>
Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/kernel | <6.1.9 | 6.1.9 |
Linux Kernel | ||
Red Hat Enterprise Linux | =7.0 | |
Red Hat Enterprise Linux | =8.0 | |
Red Hat Enterprise Linux | =9.0 | |
Red Hat Fedora | =37 | |
IBM Security Verify Governance - Identity Manager | <=ISVG 10.0.2 | |
IBM Security Verify Governance - Identity Manager | <=ISVG 10.0.2 | |
debian/linux | 5.10.223-1 5.10.234-1 6.1.129-1 6.1.128-1 6.12.20-1 6.12.21-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-1073 is considered to have a critical severity due to its potential exploitation by malicious devices.
To fix CVE-2023-1073, you should upgrade your Linux kernel to versions 5.10.223-1, 5.10.226-1, 6.1.119-1, 6.1.123-1, 6.12.11-1, or 6.12.12-1, depending on your distribution.
CVE-2023-1073 affects various Linux kernel versions across distributions such as Red Hat Enterprise Linux 7.0-9.0 and Fedora 37.
CVE-2023-1073 is caused by a missing check in the Linux kernel, leading to type confusion when the list_entry() function is executed on an empty report_list.
Yes, CVE-2023-1073 can be exploited by a suitably malicious device connected to the system.