OESA-2023-1467

The Linux Kernel, the operating system core itself.

Security Fix(es):

In multiple functions of binder.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

(CVE-2023-21255)

(CVE-2023-2163)

A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the handling of SMB2TREECONNECT and SMB2QUERYINFO commands. The issue results from the lack of proper validation of a pointer prior to accessing it. An attacker can leverage this vulnerability to create a denial-of-service condition on the system.(CVE-2023-32248)

VUL-0: CVE-2023-32255: kernel: Linux Kernel ksmbd Session Setup Memory Leak Denial-of-Service Vulnerability(CVE-2023-32255)

A use-after-free flaw was found in vcsread in drivers/tty/vt/vcscreen.c in vc_screen in the Linux Kernel. This flaw allows an attacker with local user access to cause a system crash or leak internal kernel information.(CVE-2023-3567)

A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation.

If tcfchangeindev() fails, u32setparms() will immediately return an error after incrementing or decrementing the reference counter in tcfbindfilter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability.

We recommend upgrading past commit 04c55383fa5689357bcdd2c8036725a55ed632bc.

(CVE-2023-3609)

A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.

Flaw in the error handling of bound chains causes a use-after-free in the abort path of NFTMSGNEWRULE. The vulnerability requires CAPNETADMIN to be triggered.

We recommend upgrading past commit 4bedf9eee016286c835e3d8fa981ddece5338795.

(CVE-2023-3610)

An out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation.

The qfqchangeagg() function in net/sched/sch_qfq.c allows an out-of-bounds write because lmax is updated according to packet sizes without bounds checks.

We recommend upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64.

(CVE-2023-3611)

A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation.

If tcfchangeindev() fails, fwsetparms() will immediately return an error after incrementing or decrementing the reference counter in tcfbindfilter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability.

We recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f.

(CVE-2023-3776)

An issue was discovered in the Linux kernel before 6.3.4. ksmbd has an out-of-bounds read in smb2findcontextvals when createcontext's name_len is larger than the tag length.(CVE-2023-38426)

An issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/smb2pdu.c in ksmbd does not properly check the UserName value because it does not consider the address of security buffer, leading to an out-of-bounds read.(CVE-2023-38428)