CVE-2023-2235

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-2235

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-2235.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-2235

Downstream

DEBIAN-CVE-2023-2235

RHSA-2023:3705

RHSA-2023:3708

RHSA-2023:3723

RHSA-2023:4137

RHSA-2023:4138

RHSA-2023:4517

RHSA-2023:4541

RHSA-2023:5627

SUSE-SU-2023:2140-1

SUSE-SU-2023:2141-1

SUSE-SU-2023:2231-1

SUSE-SU-2023:2646-1

SUSE-SU-2023:2809-1

SUSE-SU-2023:2871-1

SUSE-SU-2023:3055-1

SUSE-SU-2023:3063-1

SUSE-SU-2023:3079-1

SUSE-SU-2023:3116-1

SUSE-SU-2023:3153-1

UBUNTU-CVE-2023-2235

USN-6300-1

USN-6311-1

USN-6332-1

USN-6347-1

USN-6385-1

Related

Published

2023-05-01T13:15:44Z

Modified

2025-08-09T20:01:25Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

A use-after-free vulnerability in the Linux Kernel Performance Events system can be exploited to achieve local privilege escalation.

The perfgroupdetach function did not check the event's siblings' attachstate before calling addeventtogroups(), but removeonexec made it possible to call listdelevent() on before detaching from their group, making it possible to use a dangling pointer causing a use-after-free vulnerability.

We recommend upgrading past commit fd0815f632c24878e325821943edccc7fde947a2.

References

Affected packages