Wind River Support Network

HomeDefectsLIN1022-4160
Fixed

LIN1022-4160 : Security Advisory - linux - CVE-2023-2248

Created: May 4, 2023    Updated: May 17, 2023
Resolved Date: May 7, 2023
Found In Version: 10.22.33.1
Fix Version: 10.22.33.8
Severity: Standard
Applicable for: Wind River Linux LTS 22
Component/s: Kernel

Description

A heap out-of-bounds read/write vulnerability in the Linux Kernel traffic control (QoS) subsystem can be exploited to achieve local privilege escalation.

The qfq_change_class function does not properly limit the lmax variable which can lead to out-of-bounds read/write. If the TCA_QFQ_LMAX value is not offered through nlattr, lmax is determined by the MTU value of the network device. The MTU of the loopback device can be set up to 2^31-1 and as a result, it is possible to have an lmax value that exceeds QFQ_MIN_LMAX.

We recommend upgrading past commit 3037933448f60f9acb705997eae62013ecb81e0d.



CREATE(Triage):(User=admin) CVE-2023-2248 (https://nvd.nist.gov/vuln/detail/CVE-2023-2248)

CVEs


Live chat
Online