Description
A use-after-free vulnerability in the Linux kernel's af_unix component can be exploited to achieve local privilege escalation. The unix_stream_sendpage() function tries to add data to the last skb in the peer's recv queue without locking the queue. Thus there is a race where unix_stream_sendpage() could access an skb locklessly that is being released by garbage collection, resulting in use-after-free. We recommend upgrading past commit 790c2f9d15b594350ae9bca7b236f2b1859de02c.
CVSS breakdown
CVSS 3.1
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected products
- Linux / Kernel4.2 – 6.1.47
References
- MISChttps://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-6.1.y&id=790c2f9d15b594350ae9bca7b236f2b1859de02c
- MISChttps://kernel.dance/790c2f9d15b594350ae9bca7b236f2b1859de02c
- VENDOR_ADVISORYhttps://www.debian.org/security/2023/dsa-5492
- MAILING_LISThttps://lists.debian.org/debian-lts-announce/2023/10/msg00027.html
- EXPLOIThttp://packetstormsecurity.com/files/175963/Kernel-Live-Patch-Security-Notice-LSN-0099-1.html
- MAILING_LISThttps://lists.debian.org/debian-lts-announce/2024/01/msg00004.html