Wind River Support Network

HomeDefectsLINCD-11612
Fixed

LINCD-11612 : Security Advisory - linux - CVE-2023-0240

Created: Jan 31, 2023    Updated: Mar 2, 2023
Resolved Date: Feb 1, 2023
Found In Version: 10.20.6.0
Fix Version: 10.23.9.0
Severity: Standard
Applicable for: Wind River Linux CD
Component/s: Kernel

Description

There is a logic error in io_uring's implementation which can be used to trigger a use-after-free vulnerability leading to privilege escalation. In the io_prep_async_work function the assumption that the last io_grab_identity call cannot return false is not true, and in this case the function will use the init_cred or the previous linked requests identity to do operations instead of using the current identity. This can lead to reference counting issues causing use-after-free. We recommend upgrading past version 5.10.161.

CREATE(Triage):(User=admin) CVE-2023-0240 (https://nvd.nist.gov/vuln/detail/CVE-2023-0240)

CVEs


Live chat
Online