Privilege escalation in Linux kernel io_uring

1) Use-after-free

EUVDB-ID: #VU82895

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-0240

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a local authenticated user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the io_uring's implementation in io_prep_async_work function. A local authenticated user can trigger a use-after-free error and escalate privileges on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Linux kernel: 5.10 - 5.10.161

CPE2.3

• cpe:2.3:o:linux_foundation:linux_kernel:5.10:*:*:*:*:*:*:*
• cpe:2.3:o:linux_foundation:linux_kernel:5.10:rc1:*:*:*:*:*:*
• cpe:2.3:o:linux_foundation:linux_kernel:5.10:rc2:*:*:*:*:*:*
• cpe:2.3:o:linux_foundation:linux_kernel:5.10:rc3:*:*:*:*:*:*
• cpe:2.3:o:linux_foundation:linux_kernel:5.10:rc4:*:*:*:*:*:*
• cpe:2.3:o:linux_foundation:linux_kernel:5.10:rc5:*:*:*:*:*:*
• cpe:2.3:o:linux_foundation:linux_kernel:5.10:rc7:*:*:*:*:*:*
• cpe:2.3:o:linux_foundation:linux_kernel:5.10.1:*:*:*:*:*:*:*
• cpe:2.3:o:linux_foundation:linux_kernel:5.10.2:*:*:*:*:*:*:*
• cpe:2.3:o:linux_foundation:linux_kernel:5.10.3:*:*:*:*:*:*:*

External links

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/io_uring?h=linux-5.10.y&id=788d0824269bef539fe31a785b1517882eafed93
https://github.com/gregkh/linux/commit/1e6fa5216a0e59ef02e8b6b40d553238a3b81d49
https://kernel.dance/#788d0824269bef539fe31a785b1517882eafed93

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.