What is the vulnerability ID for this Linux kernel vulnerability?

The vulnerability ID for this Linux kernel vulnerability is CVE-2023-0458.

How does this vulnerability in the Linux kernel impact system security?

This vulnerability in the Linux kernel can be exploited by a local attacker to expose sensitive information (kernel memory).

Which versions of Ubuntu are affected by this vulnerability?

Versions 16.04 (Xenial Xerus) and 14.04 (Trusty Tahr) of Ubuntu are affected by this vulnerability.

What is the recommended remedy for this Linux kernel vulnerability?

The recommended remedy for this Linux kernel vulnerability is to update the affected Linux kernel packages to version 4.4.0.243.249 or later.

Where can I find more information about this vulnerability?

You can find more information about this vulnerability on the official Ubuntu security page. Please refer to the provided references for detailed information.

Vulnerability/
USN-6254-1

CWE

416 362

26/7/2023

USN-6254-1: Linux kernel vulnerabilities

First published: Wed Jul 26 2023(Updated: )

Jordy Zomer and Alexandra Sandulescu discovered that syscalls invoking the do_prlimit() function in the Linux kernel did not properly handle speculative execution barriers. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2023-0458) It was discovered that a race condition existed in the btrfs file system implementation in the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2023-1611) It was discovered that the XFS file system implementation in the Linux kernel did not properly perform metadata validation when mounting certain images. An attacker could use this to specially craft a file system image that, when mounted, could cause a denial of service (system crash). (CVE-2023-2124) It was discovered that a use-after-free vulnerability existed in the iSCSI TCP implementation in the Linux kernel. A local attacker could possibly use this to cause a denial of service (system crash). (CVE-2023-2162) It was discovered that the ext4 file system implementation in the Linux kernel did not properly handle extra inode size for extended attributes, leading to a use-after-free vulnerability. A privileged attacker could possibly use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-2513) It was discovered that the IP-VLAN network driver for the Linux kernel did not properly initialize memory in some situations, leading to an out-of- bounds write vulnerability. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-3090) It was discovered that the Ricoh R5C592 MemoryStick card reader driver in the Linux kernel contained a race condition during module unload, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-3141) It was discovered that a use-after-free vulnerability existed in the IEEE 1394 (Firewire) implementation in the Linux kernel. A privileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-3159) Sanan Hasanov discovered that the framebuffer console driver in the Linux kernel did not properly perform checks for font dimension limits. A local attacker could use this to cause a denial of service (system crash). (CVE-2023-3161) It was discovered that the kernel->user space relay implementation in the Linux kernel did not properly perform certain buffer calculations, leading to an out-of-bounds read vulnerability. A local attacker could use this to cause a denial of service (system crash) or expose sensitive information (kernel memory). (CVE-2023-3268) It was discovered that the netfilter subsystem in the Linux kernel did not properly handle some error conditions, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-3390) Tanguy Dubroca discovered that the netfilter subsystem in the Linux kernel did not properly handle certain pointer data type, leading to an out-of- bounds write vulnerability. A privileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-35001)

Affected Software	Affected Version	How to fix
All of
ubuntu/linux-image-virtual	<4.4.0.243.249	4.4.0.243.249
	=16.04
All of
ubuntu/linux-image-generic	<4.4.0.243.249	4.4.0.243.249
	=16.04
All of
ubuntu/linux-image-lowlatency-lts-xenial	<4.4.0.243.249	4.4.0.243.249
	=16.04
All of
ubuntu/linux-image-aws	<4.4.0.1159.163	4.4.0.1159.163
	=16.04
All of
ubuntu/linux-image-virtual-lts-xenial	<4.4.0.243.249	4.4.0.243.249
	=16.04
All of
ubuntu/linux-image-4.4.0-1122-kvm	<4.4.0-1122.132	4.4.0-1122.132
	=16.04
All of
ubuntu/linux-image-4.4.0-243-lowlatency	<4.4.0-243.277	4.4.0-243.277
	=16.04
All of
ubuntu/linux-image-4.4.0-243-generic	<4.4.0-243.277	4.4.0-243.277
	=16.04
All of
ubuntu/linux-image-generic-lts-xenial	<4.4.0.243.249	4.4.0.243.249
	=16.04
All of
ubuntu/linux-image-kvm	<4.4.0.1122.119	4.4.0.1122.119
	=16.04
All of
ubuntu/linux-image-4.4.0-1159-aws	<4.4.0-1159.174	4.4.0-1159.174
	=16.04
All of
ubuntu/linux-image-lowlatency	<4.4.0.243.249	4.4.0.243.249
	=16.04
All of
ubuntu/linux-image-generic-lts-xenial	<4.4.0.243.211	4.4.0.243.211
	=14.04
All of
ubuntu/linux-image-aws	<4.4.0.1121.118	4.4.0.1121.118
	=14.04
All of
ubuntu/linux-image-4.4.0-243-lowlatency	<4.4.0-243.277~14.04.1	4.4.0-243.277~14.04.1
	=14.04
All of
ubuntu/linux-image-4.4.0-243-generic	<4.4.0-243.277~14.04.1	4.4.0-243.277~14.04.1
	=14.04
All of
ubuntu/linux-image-4.4.0-1121-aws	<4.4.0-1121.127	4.4.0-1121.127
	=14.04
All of
ubuntu/linux-image-lowlatency-lts-xenial	<4.4.0.243.211	4.4.0.243.211
	=14.04
All of
ubuntu/linux-image-virtual-lts-xenial	<4.4.0.243.211	4.4.0.243.211
	=14.04

Never miss a vulnerability like this again

Reference Links

Child vulnerabilities

(Contains the following vulnerabilities)

Frequently Asked Questions

What is the vulnerability ID for this Linux kernel vulnerability?
The vulnerability ID for this Linux kernel vulnerability is CVE-2023-0458.
How does this vulnerability in the Linux kernel impact system security?
This vulnerability in the Linux kernel can be exploited by a local attacker to expose sensitive information (kernel memory).
Which versions of Ubuntu are affected by this vulnerability?
Versions 16.04 (Xenial Xerus) and 14.04 (Trusty Tahr) of Ubuntu are affected by this vulnerability.
What is the recommended remedy for this Linux kernel vulnerability?
The recommended remedy for this Linux kernel vulnerability is to update the affected Linux kernel packages to version 4.4.0.243.249 or later.
Where can I find more information about this vulnerability?
You can find more information about this vulnerability on the official Ubuntu security page. Please refer to the provided references for detailed information.

agent/type
agent/weakness
agent/severity
agent/last-modified-date
agent/first-publish-date
agent/softwarecombine
agent/title
agent/references
agent/description
agent/event
agent/tags
agent/trending
collector/usn
source/Ubuntu
agent/software-canonical-lookup
package-manager/ubuntu
vendor/ubuntu
canonical/ubuntu ubuntu
version/ubuntu ubuntu/16.04
version/ubuntu ubuntu/14.04