CVE-2023-3609 - Vulnerability Details

A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation. If tcf_change_indev() fails, u32_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability. We recommend upgrading past commit 04c55383fa5689357bcdd2c8036725a55ed632bc.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Debian	Debian Linux
Linux	Linux Kernel
Redhat	Enterprise Linux Rhel Aus Rhel E4s Rhel Eus Rhel Extras Rt Rhel Tus Rhev Hypervisor

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.4:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.4:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.4:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.4:rc4::::::
	cpe:2.3:o:linux:linux_kernel:6.4:rc5::::::
	cpe:2.3:o:linux:linux_kernel:6.4:rc6::::::

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 7
kernel-rt-0:3.10.0-1160.102.1.rt56.1250.el7	cpe:/a:redhat:rhel_extras_rt:7	RHSA-2023:5621	2023-10-10T00:00:00Z
kpatch-patch	cpe:/o:redhat:enterprise_linux:7	RHSA-2023:5574	2023-10-10T00:00:00Z
kernel-0:3.10.0-1160.102.1.el7	cpe:/o:redhat:enterprise_linux:7	RHSA-2023:5622	2023-10-10T00:00:00Z
Red Hat Enterprise Linux 7.6 Advanced Update Support(Disable again in 2026 - SPRHEL-7118)
kernel-0:3.10.0-957.108.1.el7	cpe:/o:redhat:rhel_aus:7.6	RHSA-2023:7294	2023-11-15T00:00:00Z
Red Hat Enterprise Linux 7.7 Advanced Update Support
kernel-0:3.10.0-1062.85.1.el7	cpe:/o:redhat:rhel_aus:7.7	RHSA-2024:0999	2024-02-27T00:00:00Z
Red Hat Enterprise Linux 8
kernel-rt-0:4.18.0-513.5.1.rt7.307.el8_9	cpe:/a:redhat:enterprise_linux:8::nfv	RHSA-2023:6901	2023-11-14T00:00:00Z
kernel-0:4.18.0-513.5.1.el8_9	cpe:/o:redhat:enterprise_linux:8	RHSA-2023:7077	2023-11-14T00:00:00Z
Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions
kpatch-patch	cpe:/o:redhat:rhel_e4s:8.1	RHSA-2023:6799	2023-11-08T00:00:00Z
kernel-0:4.18.0-147.94.1.el8_1	cpe:/o:redhat:rhel_e4s:8.1	RHSA-2023:6813	2023-11-08T00:00:00Z
Red Hat Enterprise Linux 8.2 Advanced Update Support
kernel-0:4.18.0-193.119.1.el8_2	cpe:/o:redhat:rhel_aus:8.2	RHSA-2023:7434	2023-11-21T00:00:00Z
Red Hat Enterprise Linux 8.2 Telecommunications Update Service
kernel-rt-0:4.18.0-193.119.1.rt13.170.el8_2	cpe:/a:redhat:rhel_tus:8.2::nfv	RHSA-2023:7431	2023-11-21T00:00:00Z
kernel-0:4.18.0-193.119.1.el8_2	cpe:/o:redhat:rhel_tus:8.2	RHSA-2023:7434	2023-11-21T00:00:00Z
Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
kpatch-patch	cpe:/o:redhat:rhel_e4s:8.2	RHSA-2023:7417	2023-11-21T00:00:00Z
kernel-0:4.18.0-193.119.1.el8_2	cpe:/o:redhat:rhel_e4s:8.2	RHSA-2023:7434	2023-11-21T00:00:00Z
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
kernel-0:4.18.0-305.108.1.el8_4	cpe:/o:redhat:rhel_aus:8.4	RHSA-2023:5628	2023-10-10T00:00:00Z
Red Hat Enterprise Linux 8.4 Telecommunications Update Service
kernel-rt-0:4.18.0-305.108.1.rt7.183.el8_4	cpe:/a:redhat:rhel_tus:8.4::nfv	RHSA-2023:5794	2023-10-17T00:00:00Z
kernel-0:4.18.0-305.108.1.el8_4	cpe:/o:redhat:rhel_tus:8.4	RHSA-2023:5628	2023-10-10T00:00:00Z
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
kernel-0:4.18.0-305.108.1.el8_4	cpe:/o:redhat:rhel_e4s:8.4	RHSA-2023:5628	2023-10-10T00:00:00Z
kpatch-patch	cpe:/o:redhat:rhel_e4s:8.4	RHSA-2023:5775	2023-10-17T00:00:00Z
Red Hat Enterprise Linux 8.6 Extended Update Support
kernel-0:4.18.0-372.80.1.el8_6	cpe:/o:redhat:rhel_eus:8.6	RHSA-2023:7398	2023-11-21T00:00:00Z
kpatch-patch	cpe:/o:redhat:rhel_eus:8.6	RHSA-2023:7410	2023-11-21T00:00:00Z
Red Hat Enterprise Linux 8.8 Extended Update Support
kernel-0:4.18.0-477.36.1.el8_8	cpe:/o:redhat:rhel_eus:8.8	RHSA-2023:7539	2023-11-28T00:00:00Z
kpatch-patch	cpe:/o:redhat:rhel_eus:8.8	RHSA-2023:7558	2023-11-28T00:00:00Z
Red Hat Enterprise Linux 9
kernel-0:5.14.0-362.8.1.el9_3	cpe:/a:redhat:enterprise_linux:9	RHSA-2023:6583	2023-11-07T00:00:00Z
kernel-0:5.14.0-362.8.1.el9_3	cpe:/o:redhat:enterprise_linux:9	RHSA-2023:6583	2023-11-07T00:00:00Z
Red Hat Enterprise Linux 9.0 Extended Update Support
kernel-0:5.14.0-70.93.2.el9_0	cpe:/a:redhat:rhel_eus:9.0	RHSA-2024:1250	2024-03-12T00:00:00Z
kernel-rt-0:5.14.0-70.93.1.rt21.165.el9_0	cpe:/a:redhat:rhel_eus:9.0::nfv	RHSA-2024:1306	2024-03-13T00:00:00Z
kpatch-patch	cpe:/o:redhat:rhel_eus:9.0	RHSA-2024:1253	2024-03-12T00:00:00Z
Red Hat Enterprise Linux 9.2 Extended Update Support
kernel-0:5.14.0-284.40.1.el9_2	cpe:/a:redhat:rhel_eus:9.2	RHSA-2023:7370	2023-11-21T00:00:00Z
kernel-rt-0:5.14.0-284.40.1.rt14.325.el9_2	cpe:/a:redhat:rhel_eus:9.2::nfv	RHSA-2023:7379	2023-11-21T00:00:00Z
kpatch-patch	cpe:/o:redhat:rhel_eus:9.2	RHSA-2023:7418	2023-11-21T00:00:00Z
Red Hat Virtualization 4 for Red Hat Enterprise Linux 8
kernel-0:4.18.0-372.80.1.el8_6	cpe:/o:redhat:rhev_hypervisor:4.4::el8	RHSA-2023:7398	2023-11-21T00:00:00Z

References

Link	Providers
http://packetstormsecurity.com/files/175072/Kernel-Live-Patch-Security-Notice-LSN-0098-1.html
http://packetstormsecurity.com/files/175963/Kernel-Live-Patch-Security-Notice-LSN-0099-1.html
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=04c55383fa5689357bcdd2c8036725a55ed632bc
https://kernel.dance/04c55383fa5689357bcdd2c8036725a55ed632bc
https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html
https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html
https://nvd.nist.gov/vuln/detail/CVE-2023-3609
https://security.netapp.com/advisory/ntap-20230818-0005/
https://www.cve.org/CVERecord?id=CVE-2023-3609
https://www.debian.org/security/2023/dsa-5480

History

Wed, 05 Mar 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 13 Feb 2025 17:00:00 +0000

Type	Values Removed	Values Added
Description	A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation. If tcf_change_indev() fails, u32_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability. We recommend upgrading past commit 04c55383fa5689357bcdd2c8036725a55ed632bc.	A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation. If tcf_change_indev() fails, u32_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability. We recommend upgrading past commit 04c55383fa5689357bcdd2c8036725a55ed632bc.

MITRE

Status: PUBLISHED

Assigner: Google

Published: 2023-07-21T20:47:12.172Z

Updated: 2025-03-05T18:48:12.763Z

Reserved: 2023-07-10T20:52:53.660Z

Link: CVE-2023-3609

Vulnrichment

Updated: 2024-08-02T07:01:56.672Z

NVD

Status : Modified

Published: 2023-07-21T21:15:11.743

Modified: 2025-02-13T17:16:57.787

Link: CVE-2023-3609

Redhat

Severity : Important

Publid Date: 2023-07-21T00:00:00Z

Links: CVE-2023-3609 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-3609", "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "state": "PUBLISHED", "assignerShortName": "Google", "dateReserved": "2023-07-10T20:52:53.660Z", "datePublished": "2023-07-21T20:47:12.172Z", "dateUpdated": "2025-03-05T18:48:12.763Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "kernel", "product": "Kernel", "repo": "https://git.kernel.org", "vendor": "Linux", "versions": [{"lessThan": "6.4", "status": "affected", "version": "4.14", "versionType": "custom"}]}], "datePublic": "2023-06-09T10:40:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation.If tcf_change_indev() fails, u32_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability.We recommend upgrading past commit 04c55383fa5689357bcdd2c8036725a55ed632bc."}], "value": "A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation.\n\nIf tcf_change_indev() fails, u32_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability.\n\nWe recommend upgrading past commit 04c55383fa5689357bcdd2c8036725a55ed632bc."}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "description": "CWE-416 Use After Free", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google", "dateUpdated": "2024-01-11T19:06:24.758Z"}, "references": [{"tags": ["patch"], "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=04c55383fa5689357bcdd2c8036725a55ed632bc"}, {"url": "https://kernel.dance/04c55383fa5689357bcdd2c8036725a55ed632bc"}, {"url": "https://security.netapp.com/advisory/ntap-20230818-0005/"}, {"url": "https://www.debian.org/security/2023/dsa-5480"}, {"url": "http://packetstormsecurity.com/files/175072/Kernel-Live-Patch-Security-Notice-LSN-0098-1.html"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html"}, {"url": "http://packetstormsecurity.com/files/175963/Kernel-Live-Patch-Security-Notice-LSN-0099-1.html"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html"}], "source": {"discovery": "EXTERNAL"}, "title": "Use-after-free in Linux kernel's net/sched: cls_u32 component", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:01:56.672Z"}, "title": "CVE Program Container", "references": [{"tags": ["patch", "x_transferred"], "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=04c55383fa5689357bcdd2c8036725a55ed632bc"}, {"url": "https://kernel.dance/04c55383fa5689357bcdd2c8036725a55ed632bc", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20230818-0005/", "tags": ["x_transferred"]}, {"url": "https://www.debian.org/security/2023/dsa-5480", "tags": ["x_transferred"]}, {"url": "http://packetstormsecurity.com/files/175072/Kernel-Live-Patch-Security-Notice-LSN-0098-1.html", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html", "tags": ["x_transferred"]}, {"url": "http://packetstormsecurity.com/files/175963/Kernel-Live-Patch-Security-Notice-LSN-0099-1.html", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-05T18:36:26.184616Z", "id": "CVE-2023-3609", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-05T18:48:12.763Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=04c55383fa5689357bcdd2c8036725a55ed632bc", "tags": ["patch", "x_transferred"]}, {"url": "https://kernel.dance/04c55383fa5689357bcdd2c8036725a55ed632bc", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20230818-0005/", "tags": ["x_transferred"]}, {"url": "https://www.debian.org/security/2023/dsa-5480", "tags": ["x_transferred"]}, {"url": "http://packetstormsecurity.com/files/175072/Kernel-Live-Patch-Security-Notice-LSN-0098-1.html", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html", "tags": ["x_transferred"]}, {"url": "http://packetstormsecurity.com/files/175963/Kernel-Live-Patch-Security-Notice-LSN-0099-1.html", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:01:56.672Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-3609", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-03-05T18:36:26.184616Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-05T18:36:27.667Z"}}], "cna": {"title": "Use-after-free in Linux kernel's net/sched: cls_u32 component", "source": {"discovery": "EXTERNAL"}, "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://git.kernel.org", "vendor": "Linux", "product": "Kernel", "versions": [{"status": "affected", "version": "4.14", "lessThan": "6.4", "versionType": "custom"}], "packageName": "kernel", "defaultStatus": "unaffected"}], "datePublic": "2023-06-09T10:40:00.000Z", "references": [{"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=04c55383fa5689357bcdd2c8036725a55ed632bc", "tags": ["patch"]}, {"url": "https://kernel.dance/04c55383fa5689357bcdd2c8036725a55ed632bc"}, {"url": "https://security.netapp.com/advisory/ntap-20230818-0005/"}, {"url": "https://www.debian.org/security/2023/dsa-5480"}, {"url": "http://packetstormsecurity.com/files/175072/Kernel-Live-Patch-Security-Notice-LSN-0098-1.html"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html"}, {"url": "http://packetstormsecurity.com/files/175963/Kernel-Live-Patch-Security-Notice-LSN-0099-1.html"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation.\n\nIf tcf_change_indev() fails, u32_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability.\n\nWe recommend upgrading past commit 04c55383fa5689357bcdd2c8036725a55ed632bc.", "supportingMedia": [{"type": "text/html", "value": "A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation.If tcf_change_indev() fails, u32_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability.We recommend upgrading past commit 04c55383fa5689357bcdd2c8036725a55ed632bc.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416 Use After Free"}]}], "providerMetadata": {"orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google", "dateUpdated": "2024-01-11T19:06:24.758Z"}}}, "cveMetadata": {"cveId": "CVE-2023-3609", "state": "PUBLISHED", "dateUpdated": "2025-03-05T18:48:12.763Z", "dateReserved": "2023-07-10T20:52:53.660Z", "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "datePublished": "2023-07-21T20:47:12.172Z", "assignerShortName": "Google"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "AD5A233A-2C1B-4397-AACC-92FE4E062AA9", "versionEndExcluding": "6.4", "versionStartIncluding": "4.14", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.4:rc1:*:*:*:*:*:*", "matchCriteriaId": "38BC6744-7D25-4C02-9966-B224CD071D30", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.4:rc2:*:*:*:*:*:*", "matchCriteriaId": "76061B41-CAE9-4467-BEDE-0FFC7956F2A1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.4:rc3:*:*:*:*:*:*", "matchCriteriaId": "A717BA5B-D535-46A0-A329-A25FE5CEC588", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.4:rc4:*:*:*:*:*:*", "matchCriteriaId": "89CC80C6-F1EE-4AC7-BD21-DB3217BADE87", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.4:rc5:*:*:*:*:*:*", "matchCriteriaId": "41EACEA1-FB69-4AF2-BC52-D39489858D42", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.4:rc6:*:*:*:*:*:*", "matchCriteriaId": "9E1C36BE-F9D8-40B6-8281-5B8F9B42322D", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation.\n\nIf tcf_change_indev() fails, u32_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability.\n\nWe recommend upgrading past commit 04c55383fa5689357bcdd2c8036725a55ed632bc."}], "id": "CVE-2023-3609", "lastModified": "2025-02-13T17:16:57.787", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "cve-coordination@google.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-07-21T21:15:11.743", "references": [{"source": "cve-coordination@google.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/175072/Kernel-Live-Patch-Security-Notice-LSN-0098-1.html"}, {"source": "cve-coordination@google.com", "url": "http://packetstormsecurity.com/files/175963/Kernel-Live-Patch-Security-Notice-LSN-0099-1.html"}, {"source": "cve-coordination@google.com", "tags": ["Mailing List", "Patch", "Vendor Advisory"], "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=04c55383fa5689357bcdd2c8036725a55ed632bc"}, {"source": "cve-coordination@google.com", "tags": ["Vendor Advisory"], "url": "https://kernel.dance/04c55383fa5689357bcdd2c8036725a55ed632bc"}, {"source": "cve-coordination@google.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html"}, {"source": "cve-coordination@google.com", "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html"}, {"source": "cve-coordination@google.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20230818-0005/"}, {"source": "cve-coordination@google.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2023/dsa-5480"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/175072/Kernel-Live-Patch-Security-Notice-LSN-0098-1.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://packetstormsecurity.com/files/175963/Kernel-Live-Patch-Security-Notice-LSN-0099-1.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch", "Vendor Advisory"], "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=04c55383fa5689357bcdd2c8036725a55ed632bc"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://kernel.dance/04c55383fa5689357bcdd2c8036725a55ed632bc"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20230818-0005/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2023/dsa-5480"}], "sourceIdentifier": "cve-coordination@google.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "cve-coordination@google.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2023:5621", "cpe": "cpe:/a:redhat:rhel_extras_rt:7", "package": "kernel-rt-0:3.10.0-1160.102.1.rt56.1250.el7", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2023-10-10T00:00:00Z"}, {"advisory": "RHSA-2023:5574", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "kpatch-patch", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2023-10-10T00:00:00Z"}, {"advisory": "RHSA-2023:5622", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "kernel-0:3.10.0-1160.102.1.el7", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2023-10-10T00:00:00Z"}, {"advisory": "RHSA-2023:7294", "cpe": "cpe:/o:redhat:rhel_aus:7.6", "package": "kernel-0:3.10.0-957.108.1.el7", "product_name": "Red Hat Enterprise Linux 7.6 Advanced Update Support(Disable again in 2026 - SPRHEL-7118)", "release_date": "2023-11-15T00:00:00Z"}, {"advisory": "RHSA-2024:0999", "cpe": "cpe:/o:redhat:rhel_aus:7.7", "package": "kernel-0:3.10.0-1062.85.1.el7", "product_name": "Red Hat Enterprise Linux 7.7 Advanced Update Support", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2023:6901", "cpe": "cpe:/a:redhat:enterprise_linux:8::nfv", "package": "kernel-rt-0:4.18.0-513.5.1.rt7.307.el8_9", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-11-14T00:00:00Z"}, {"advisory": "RHSA-2023:7077", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "kernel-0:4.18.0-513.5.1.el8_9", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-11-14T00:00:00Z"}, {"advisory": "RHSA-2023:6799", "cpe": "cpe:/o:redhat:rhel_e4s:8.1", "package": "kpatch-patch", "product_name": "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "release_date": "2023-11-08T00:00:00Z"}, {"advisory": "RHSA-2023:6813", "cpe": "cpe:/o:redhat:rhel_e4s:8.1", "package": "kernel-0:4.18.0-147.94.1.el8_1", "product_name": "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "release_date": "2023-11-08T00:00:00Z"}, {"advisory": "RHSA-2023:7434", "cpe": "cpe:/o:redhat:rhel_aus:8.2", "package": "kernel-0:4.18.0-193.119.1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2023-11-21T00:00:00Z"}, {"advisory": "RHSA-2023:7431", "cpe": "cpe:/a:redhat:rhel_tus:8.2::nfv", "package": "kernel-rt-0:4.18.0-193.119.1.rt13.170.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", "release_date": "2023-11-21T00:00:00Z"}, {"advisory": "RHSA-2023:7434", "cpe": "cpe:/o:redhat:rhel_tus:8.2", "package": "kernel-0:4.18.0-193.119.1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", "release_date": "2023-11-21T00:00:00Z"}, {"advisory": "RHSA-2023:7417", "cpe": "cpe:/o:redhat:rhel_e4s:8.2", "package": "kpatch-patch", "product_name": "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", "release_date": "2023-11-21T00:00:00Z"}, {"advisory": "RHSA-2023:7434", "cpe": "cpe:/o:redhat:rhel_e4s:8.2", "package": "kernel-0:4.18.0-193.119.1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", "release_date": "2023-11-21T00:00:00Z"}, {"advisory": "RHSA-2023:5628", "cpe": "cpe:/o:redhat:rhel_aus:8.4", "package": "kernel-0:4.18.0-305.108.1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2023-10-10T00:00:00Z"}, {"advisory": "RHSA-2023:5794", "cpe": "cpe:/a:redhat:rhel_tus:8.4::nfv", "package": "kernel-rt-0:4.18.0-305.108.1.rt7.183.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2023-10-17T00:00:00Z"}, {"advisory": "RHSA-2023:5628", "cpe": "cpe:/o:redhat:rhel_tus:8.4", "package": "kernel-0:4.18.0-305.108.1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2023-10-10T00:00:00Z"}, {"advisory": "RHSA-2023:5628", "cpe": "cpe:/o:redhat:rhel_e4s:8.4", "package": "kernel-0:4.18.0-305.108.1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2023-10-10T00:00:00Z"}, {"advisory": "RHSA-2023:5775", "cpe": "cpe:/o:redhat:rhel_e4s:8.4", "package": "kpatch-patch", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2023-10-17T00:00:00Z"}, {"advisory": "RHSA-2023:7398", "cpe": "cpe:/o:redhat:rhel_eus:8.6", "package": "kernel-0:4.18.0-372.80.1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2023-11-21T00:00:00Z"}, {"advisory": "RHSA-2023:7410", "cpe": "cpe:/o:redhat:rhel_eus:8.6", "package": "kpatch-patch", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2023-11-21T00:00:00Z"}, {"advisory": "RHSA-2023:7539", "cpe": "cpe:/o:redhat:rhel_eus:8.8", "package": "kernel-0:4.18.0-477.36.1.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2023-11-28T00:00:00Z"}, {"advisory": "RHSA-2023:7558", "cpe": "cpe:/o:redhat:rhel_eus:8.8", "package": "kpatch-patch", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2023-11-28T00:00:00Z"}, {"advisory": "RHSA-2023:6583", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-362.8.1.el9_3", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-11-07T00:00:00Z"}, {"advisory": "RHSA-2023:6583", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-362.8.1.el9_3", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-11-07T00:00:00Z"}, {"advisory": "RHSA-2024:1250", "cpe": "cpe:/a:redhat:rhel_eus:9.0", "package": "kernel-0:5.14.0-70.93.2.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2024-03-12T00:00:00Z"}, {"advisory": "RHSA-2024:1306", "cpe": "cpe:/a:redhat:rhel_eus:9.0::nfv", "package": "kernel-rt-0:5.14.0-70.93.1.rt21.165.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2024-03-13T00:00:00Z"}, {"advisory": "RHSA-2024:1253", "cpe": "cpe:/o:redhat:rhel_eus:9.0", "package": "kpatch-patch", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2024-03-12T00:00:00Z"}, {"advisory": "RHSA-2023:7370", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "kernel-0:5.14.0-284.40.1.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2023-11-21T00:00:00Z"}, {"advisory": "RHSA-2023:7379", "cpe": "cpe:/a:redhat:rhel_eus:9.2::nfv", "package": "kernel-rt-0:5.14.0-284.40.1.rt14.325.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2023-11-21T00:00:00Z"}, {"advisory": "RHSA-2023:7418", "cpe": "cpe:/o:redhat:rhel_eus:9.2", "package": "kpatch-patch", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2023-11-21T00:00:00Z"}, {"advisory": "RHSA-2023:7398", "cpe": "cpe:/o:redhat:rhev_hypervisor:4.4::el8", "package": "kernel-0:4.18.0-372.80.1.el8_6", "product_name": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8", "release_date": "2023-11-21T00:00:00Z"}], "bugzilla": {"description": "kernel: net/sched: cls_u32 component reference counter leak if tcf_change_indev() fails", "id": "2225201", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2225201"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-415", "details": ["A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation.\nIf tcf_change_indev() fails, u32_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability.\nWe recommend upgrading past commit 04c55383fa5689357bcdd2c8036725a55ed632bc.", "A double-free flaw was found in u32_set_parms in net/sched/cls_u32.c in the Network Scheduler component in the Linux kernel. This flaw allows a local attacker to use a failure event to mishandle the reference counter, leading to a local privilege escalation threat."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, prevent module cls_u32 from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically."}, "name": "CVE-2023-3609", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2023-07-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-3609\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-3609\nhttps://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=04c55383fa5689357bcdd2c8036725a55ed632bc"], "threat_severity": "Important"}

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object