CVE-2023-2166: Null Pointer Dereference
First published: Tue Apr 18 2023(Updated: )
A null pointer dereference issue was found in can protocol in net/can/af_can.c in the Linux before Linux. ml_priv may not be initialized in the receive path of CAN frames. A local user could use this flaw to crash the system or potentially cause a denial of service.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/kernel | <6.1 | 6.1 |
| Linux Kernel | <6.1 | |
| Linux Kernel | =6.1 | |
| Linux Kernel | =6.1-rc1 | |
| Linux Kernel | =6.1-rc2 | |
| Linux Kernel | =6.1-rc3 | |
| Linux Kernel | =6.1-rc4 | |
| Linux Kernel | =6.1-rc5 | |
| Linux Kernel | =6.1-rc6 | |
| Linux Kernel | =6.1-rc7 | |
| Linux Kernel | =6.1-rc8 | |
| IBM Security Verify Governance - Identity Manager | <=ISVG 10.0.2 | |
| IBM Security Verify Governance, Identity Manager | <=ISVG 10.0.2 |
Remedy
https://lore.kernel.org/lkml/CAO4mrfcV_07hbj8NUuZrA8FH-kaRsrFy-2metecpTuE5kKHn5w@mail.gmail.com/
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://lore.kernel.org/lkml/CAO4mrfcV_07hbj8NUuZrA8FH-kaRsrFy-2metecpTuE5kKHn5w@mail.gmail.com/
- https://lore.kernel.org/lkml/CAO4mrfcV_07hbj8NUuZrA8FH-kaRsrFy-2metecpTuE5kKHn5w%40mail.gmail.com/
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0acc442309a0a1b01bcdaa135e56e6398a49439c
- https://access.redhat.com/errata/RHSA-2024:0461
- https://access.redhat.com/errata/RHSA-2024:0439
- https://access.redhat.com/errata/RHSA-2024:0448
- https://access.redhat.com/errata/RHSA-2024:0724
- https://access.redhat.com/errata/RHSA-2024:0881
- https://access.redhat.com/errata/RHSA-2024:0897
- https://access.redhat.com/errata/RHSA-2024:1250
- https://access.redhat.com/errata/RHSA-2024:1306
- https://access.redhat.com/errata/RHSA-2024:1367
- https://access.redhat.com/errata/RHSA-2024:1382
- https://access.redhat.com/errata/RHSA-2024:1404
- https://access.redhat.com/errata/RHSA-2024:3528
- https://bugzilla.redhat.com/show_bug.cgi?id=2187813
- https://www.ibm.com/support/pages/node/7172423 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2023-2166?
CVE-2023-2166 has a medium severity rating due to its potential to crash the system or cause a denial of service.
How do I fix CVE-2023-2166?
To fix CVE-2023-2166, update the Linux kernel to version 6.1 or later.
Who is affected by CVE-2023-2166?
CVE-2023-2166 affects users running Linux kernel versions prior to 6.1, as well as certain versions of IBM Security Verify Governance software.
What causes the vulnerability in CVE-2023-2166?
CVE-2023-2166 is caused by a null pointer dereference in the CAN protocol implementation in the Linux kernel.
Can CVE-2023-2166 be exploited remotely?
CVE-2023-2166 requires local access to exploit, as it involves a flaw in the kernel's CAN frame processing.
- agent/type
- agent/remedy
- agent/author
- agent/first-publish-date
- agent/severity
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-2166
- agent/software-canonical-lookup
- agent/trending
- agent/references
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/mitre-cve
- source/MITRE
- agent/weakness
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/softwarecombine
- agent/source
- agent/tags
- agent/event
- collector/ibm-support
- source/IBM
- package-manager/redhat
- vendor/linux
- canonical/linux kernel
- version/linux kernel/6.1
- version/linux kernel/6.1-rc1
- version/linux kernel/6.1-rc2
- version/linux kernel/6.1-rc3
- version/linux kernel/6.1-rc4
- version/linux kernel/6.1-rc5
- version/linux kernel/6.1-rc6
- version/linux kernel/6.1-rc7
- version/linux kernel/6.1-rc8
- vendor/ibm
- canonical/ibm security verify governance - identity manager
- version/ibm security verify governance - identity manager/isvg 10.0.2
- canonical/ibm security verify governance, identity manager
- version/ibm security verify governance, identity manager/isvg 10.0.2