Description
A use-after-free vulnerability in the Linux Kernel io_uring subsystem can be exploited to achieve local privilege escalation. Racing a io_uring cancel poll request with a linked timeout can cause a UAF in a hrtimer. We recommend upgrading past commit ef7dfac51d8ed961b742218f526bd589f3900a59 (4716c73b188566865bdd79c3a6709696a224ac04 for 5.10 stable and 0e388fce7aec40992eadee654193cad345d62663 for 5.15 stable).
CVSS breakdown
CVSS 3.1
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected products
- Linux / Kernel5.13 – 6.4
- Linux / Kernel5.10.162 – 5.10.185
References
- MISChttps://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.15.y&id=0e388fce7aec40992eadee654193cad345d62663
- MISChttps://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.10.y&id=4716c73b188566865bdd79c3a6709696a224ac04
- MISChttps://kernel.dance/0e388fce7aec40992eadee654193cad345d62663
- MISChttps://kernel.dance/4716c73b188566865bdd79c3a6709696a224ac04
- MISChttps://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ef7dfac51d8ed961b742218f526bd589f3900a59
- MISChttps://kernel.dance/ef7dfac51d8ed961b742218f526bd589f3900a59
- MISChttps://security.netapp.com/advisory/ntap-20230731-0001/
- VENDOR_ADVISORYhttps://www.debian.org/security/2023/dsa-5480
- EXPLOIThttp://packetstormsecurity.com/files/174577/Kernel-Live-Patch-Security-Notice-LSN-0097-1.html
- MAILING_LISThttps://lists.debian.org/debian-lts-announce/2023/10/msg00027.html