CVE-2023-2236: Use-after-free in Linux kernel's Performance Events subsystem
First published: Mon May 01 2023(Updated: )
A use-after-free vulnerability in the Linux Kernel io_uring subsystem can be exploited to achieve local privilege escalation. Both io_install_fixed_file and its callers call fput in a file in case of an error, causing a reference underflow which leads to a use-after-free vulnerability. We recommend upgrading past commit 9d94c04c0db024922e886c9fd429659f22f48ea4.
Credit: cve-coordination@google.com cve-coordination@google.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux Linux kernel | =6.1-rc2 | |
| Linux Linux kernel | =6.1-rc5 | |
| Linux Linux kernel | =6.1-rc1 | |
| Linux Linux kernel | =6.1-rc3 | |
| Linux Linux kernel | =6.1-rc4 | |
| Linux Linux kernel | =6.1-rc6 | |
| Linux Linux kernel | >=5.19<6.1 | |
| Linux Linux kernel | >=5.19<6.0.11 | |
| Netapp Hci Baseboard Management Controller | =h300s | |
| Netapp Hci Baseboard Management Controller | =h410c | |
| Netapp Hci Baseboard Management Controller | =h410s | |
| Netapp Hci Baseboard Management Controller | =h500s | |
| Netapp Hci Baseboard Management Controller | =h700s |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability with ID CVE-2023-2236?
CVE-2023-2236 is a use-after-free vulnerability in the Linux Kernel io_uring subsystem that can be exploited for local privilege escalation.
What software is affected by the CVE-2023-2236 vulnerability?
The Linux Kernel versions 5.19 to 6.1-rc6, and certain Netapp Hci Baseboard Management Controller models (h300s, h410c, h410s, h500s, h700s) are affected by the CVE-2023-2236 vulnerability.
What is the severity of CVE-2023-2236?
CVE-2023-2236 has a severity rating of high (7).
How can the CVE-2023-2236 vulnerability be exploited?
The CVE-2023-2236 vulnerability can be exploited through a use-after-free attack in the Linux Kernel io_uring subsystem, allowing an attacker to gain local privilege escalation.
What is the recommended action to mitigate CVE-2023-2236?
It is recommended to apply the patch provided by the Linux Kernel development team and Netapp for the affected software versions to mitigate the CVE-2023-2236 vulnerability.
- collector/nvd-latest
- collector/nvd-api
- collector/nvd-index
- agent/author
- agent/remedy
- agent/softwarecombine
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/title
- agent/last-modified-date
- agent/references
- agent/weakness
- agent/tags
- agent/first-publish-date
- agent/event
- agent/description
- vendor/linux
- canonical/linux linux kernel
- version/linux linux kernel/6.1-rc2
- version/linux linux kernel/6.1-rc5
- version/linux linux kernel/6.1-rc1
- version/linux linux kernel/6.1-rc3
- version/linux linux kernel/6.1-rc4
- version/linux linux kernel/6.1-rc6
- version/linux linux kernel/5.19
- vendor/netapp
- canonical/netapp hci baseboard management controller
- version/netapp hci baseboard management controller/h300s
- version/netapp hci baseboard management controller/h410c
- version/netapp hci baseboard management controller/h410s
- version/netapp hci baseboard management controller/h500s
- version/netapp hci baseboard management controller/h700s