Wind River Support Network


LIN1022-4160 : Security Advisory - linux - CVE-2023-2248

Created: May 4, 2023    Updated: May 17, 2023
Resolved Date: May 7, 2023
Found In Version:
Fix Version:
Severity: Standard
Applicable for: Wind River Linux LTS 22
Component/s: Kernel


A heap out-of-bounds read/write vulnerability in the Linux Kernel traffic control (QoS) subsystem can be exploited to achieve local privilege escalation.

The qfq_change_class function does not properly limit the lmax variable which can lead to out-of-bounds read/write. If the TCA_QFQ_LMAX value is not offered through nlattr, lmax is determined by the MTU value of the network device. The MTU of the loopback device can be set up to 2^31-1 and as a result, it is possible to have an lmax value that exceeds QFQ_MIN_LMAX.

We recommend upgrading past commit 3037933448f60f9acb705997eae62013ecb81e0d.

CREATE(Triage):(User=admin) CVE-2023-2248 (


Live chat