CVE-2023-49062
First published: Tue Nov 28 2023(Updated: )
Katran could disclose non-initialized kernel memory as part of an IP header. The issue was present for IPv4 encapsulation and ICMP (v4) Too Big packet generation. After a bpf_xdp_adjust_head call, Katran code didn’t initialize the Identification field for the IPv4 header, resulting in writing content of kernel memory in that field of IP header. The issue affected all Katran versions prior to commit 6a03106ac1eab39d0303662963589ecb2374c97f
Credit: cve-assign@fb.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Facebook Katran | <2023-11-15 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-49062?
CVE-2023-49062 is a vulnerability in Katran that could disclose non-initialized kernel memory as part of an IP header.
What software is affected by CVE-2023-49062?
The affected software is Facebook Katran.
What is the severity of CVE-2023-49062?
The severity of CVE-2023-49062 is high.
How can the CVE-2023-49062 vulnerability be exploited?
The CVE-2023-49062 vulnerability can be exploited by an attacker to disclose non-initialized kernel memory.
Where can I find more information about CVE-2023-49062?
You can find more information about CVE-2023-49062 in the Facebook security advisory and the GitHub commit.
- collector/mitre-cve
- collector/nvd-api
- vendor/facebook
- canonical/facebook katran