CVE-2023-3776 - Vulnerability Details

A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation. If tcf_change_indev() fails, fw_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability. We recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Debian	Debian Linux
Linux	Linux Kernel
Redhat	Enterprise Linux Rhel Aus Rhel E4s Rhel Els Rhel Eus Rhel Extras Rt Rhel Tus Rhev Hypervisor

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.5:rc1::::::

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*
	cpe:2.3:o:debian:debian_linux:12.0:::::::*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 6 Extended Lifecycle Support
kernel-0:2.6.32-754.53.1.el6	cpe:/o:redhat:rhel_els:6	RHSA-2024:1831	2024-04-16T00:00:00Z
Red Hat Enterprise Linux 7
kernel-rt-0:3.10.0-1160.105.1.rt56.1256.el7	cpe:/a:redhat:rhel_extras_rt:7	RHSA-2023:7424	2023-11-21T00:00:00Z
kpatch-patch	cpe:/o:redhat:enterprise_linux:7	RHSA-2023:7419	2023-11-21T00:00:00Z
kernel-0:3.10.0-1160.105.1.el7	cpe:/o:redhat:enterprise_linux:7	RHSA-2023:7423	2023-11-21T00:00:00Z
Red Hat Enterprise Linux 7.6 Advanced Update Support(Disable again in 2026 - SPRHEL-7118)
kernel-0:3.10.0-957.108.1.el7	cpe:/o:redhat:rhel_aus:7.6	RHSA-2023:7294	2023-11-15T00:00:00Z
Red Hat Enterprise Linux 7.7 Advanced Update Support
kernel-0:3.10.0-1062.82.1.el7	cpe:/o:redhat:rhel_aus:7.7	RHSA-2024:0262	2024-01-16T00:00:00Z
Red Hat Enterprise Linux 8
kernel-rt-0:4.18.0-477.27.1.rt7.290.el8_8	cpe:/a:redhat:enterprise_linux:8::nfv	RHSA-2023:5255	2023-09-19T00:00:00Z
kpatch-patch	cpe:/o:redhat:enterprise_linux:8	RHSA-2023:5221	2023-09-19T00:00:00Z
kernel-0:4.18.0-477.27.1.el8_8	cpe:/o:redhat:enterprise_linux:8	RHSA-2023:5244	2023-09-19T00:00:00Z
Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions
kpatch-patch	cpe:/o:redhat:rhel_e4s:8.1	RHSA-2023:6799	2023-11-08T00:00:00Z
kernel-0:4.18.0-147.94.1.el8_1	cpe:/o:redhat:rhel_e4s:8.1	RHSA-2023:6813	2023-11-08T00:00:00Z
Red Hat Enterprise Linux 8.2 Advanced Update Support
kernel-0:4.18.0-193.119.1.el8_2	cpe:/o:redhat:rhel_aus:8.2	RHSA-2023:7434	2023-11-21T00:00:00Z
Red Hat Enterprise Linux 8.2 Telecommunications Update Service
kernel-rt-0:4.18.0-193.119.1.rt13.170.el8_2	cpe:/a:redhat:rhel_tus:8.2::nfv	RHSA-2023:7431	2023-11-21T00:00:00Z
kernel-0:4.18.0-193.119.1.el8_2	cpe:/o:redhat:rhel_tus:8.2	RHSA-2023:7434	2023-11-21T00:00:00Z
Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
kpatch-patch	cpe:/o:redhat:rhel_e4s:8.2	RHSA-2023:7417	2023-11-21T00:00:00Z
kernel-0:4.18.0-193.119.1.el8_2	cpe:/o:redhat:rhel_e4s:8.2	RHSA-2023:7434	2023-11-21T00:00:00Z
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
kernel-0:4.18.0-305.108.1.el8_4	cpe:/o:redhat:rhel_aus:8.4	RHSA-2023:5628	2023-10-10T00:00:00Z
Red Hat Enterprise Linux 8.4 Telecommunications Update Service
kernel-rt-0:4.18.0-305.108.1.rt7.183.el8_4	cpe:/a:redhat:rhel_tus:8.4::nfv	RHSA-2023:5794	2023-10-17T00:00:00Z
kernel-0:4.18.0-305.108.1.el8_4	cpe:/o:redhat:rhel_tus:8.4	RHSA-2023:5628	2023-10-10T00:00:00Z
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
kernel-0:4.18.0-305.108.1.el8_4	cpe:/o:redhat:rhel_e4s:8.4	RHSA-2023:5628	2023-10-10T00:00:00Z
kpatch-patch	cpe:/o:redhat:rhel_e4s:8.4	RHSA-2023:5775	2023-10-17T00:00:00Z
Red Hat Enterprise Linux 8.6 Extended Update Support
kernel-0:4.18.0-372.80.1.el8_6	cpe:/o:redhat:rhel_eus:8.6	RHSA-2023:7398	2023-11-21T00:00:00Z
kpatch-patch	cpe:/o:redhat:rhel_eus:8.6	RHSA-2023:7410	2023-11-21T00:00:00Z
Red Hat Enterprise Linux 9
kernel-0:5.14.0-284.30.1.el9_2	cpe:/a:redhat:enterprise_linux:9	RHSA-2023:5069	2023-09-12T00:00:00Z
kernel-rt-0:5.14.0-284.30.1.rt14.315.el9_2	cpe:/a:redhat:enterprise_linux:9::nfv	RHSA-2023:5091	2023-09-12T00:00:00Z
kernel-0:5.14.0-284.30.1.el9_2	cpe:/o:redhat:enterprise_linux:9	RHSA-2023:5069	2023-09-12T00:00:00Z
kpatch-patch	cpe:/o:redhat:enterprise_linux:9	RHSA-2023:5093	2023-09-12T00:00:00Z
Red Hat Enterprise Linux 9.0 Extended Update Support
kernel-0:5.14.0-70.80.1.el9_0	cpe:/a:redhat:rhel_eus:9.0	RHSA-2023:7382	2023-11-21T00:00:00Z
kernel-rt-0:5.14.0-70.80.1.rt21.151.el9_0	cpe:/a:redhat:rhel_eus:9.0::nfv	RHSA-2023:7389	2023-11-21T00:00:00Z
kpatch-patch	cpe:/o:redhat:rhel_eus:9.0	RHSA-2023:7411	2023-11-21T00:00:00Z
Red Hat Virtualization 4 for Red Hat Enterprise Linux 8
kernel-0:4.18.0-372.80.1.el8_6	cpe:/o:redhat:rhev_hypervisor:4.4::el8	RHSA-2023:7398	2023-11-21T00:00:00Z

References

Link	Providers
http://packetstormsecurity.com/files/175072/Kernel-Live-Patch-Security-Notice-LSN-0098-1.html
http://packetstormsecurity.com/files/175963/Kernel-Live-Patch-Security-Notice-LSN-0099-1.html
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=0323bce598eea038714f941ce2b22541c46d488f
https://kernel.dance/0323bce598eea038714f941ce2b22541c46d488f
https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html
https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html
https://nvd.nist.gov/vuln/detail/CVE-2023-3776
https://security.netapp.com/advisory/ntap-20240202-0003/
https://www.cve.org/CVERecord?id=CVE-2023-3776
https://www.debian.org/security/2023/dsa-5480
https://www.debian.org/security/2023/dsa-5492

History

Wed, 05 Mar 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 13 Feb 2025 17:15:00 +0000

Type	Values Removed	Values Added
Description	A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation. If tcf_change_indev() fails, fw_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability. We recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f.	A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation. If tcf_change_indev() fails, fw_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability. We recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f.

MITRE

Status: PUBLISHED

Assigner: Google

Published: 2023-07-21T20:49:53.667Z

Updated: 2025-03-05T18:48:04.229Z

Reserved: 2023-07-19T15:50:20.757Z

Link: CVE-2023-3776

Vulnrichment

Updated: 2024-08-02T07:08:49.975Z

NVD

Status : Modified

Published: 2023-07-21T21:15:11.973

Modified: 2025-02-13T17:16:58.960

Link: CVE-2023-3776

Redhat

Severity : Important

Publid Date: 2023-07-06T00:00:00Z

Links: CVE-2023-3776 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-3776", "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "state": "PUBLISHED", "assignerShortName": "Google", "dateReserved": "2023-07-19T15:50:20.757Z", "datePublished": "2023-07-21T20:49:53.667Z", "dateUpdated": "2025-03-05T18:48:04.229Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "kernel", "product": "Kernel", "repo": "https://git.kernel.org", "vendor": "Linux", "versions": [{"lessThan": "6.5", "status": "affected", "version": "2.6", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Muhammad Alifa Ramdhan of STAR Labs SG"}], "datePublic": "2023-07-07T02:10:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation.If tcf_change_indev() fails, fw_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability.We recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f."}], "value": "A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation.\n\nIf tcf_change_indev() fails, fw_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability.\n\nWe recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f."}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "description": "CWE-416 Use After Free", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google", "dateUpdated": "2024-02-02T14:06:25.968Z"}, "references": [{"tags": ["patch"], "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=0323bce598eea038714f941ce2b22541c46d488f"}, {"url": "https://kernel.dance/0323bce598eea038714f941ce2b22541c46d488f"}, {"url": "https://www.debian.org/security/2023/dsa-5480"}, {"url": "https://www.debian.org/security/2023/dsa-5492"}, {"url": "http://packetstormsecurity.com/files/175072/Kernel-Live-Patch-Security-Notice-LSN-0098-1.html"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html"}, {"url": "http://packetstormsecurity.com/files/175963/Kernel-Live-Patch-Security-Notice-LSN-0099-1.html"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html"}, {"url": "https://security.netapp.com/advisory/ntap-20240202-0003/"}], "source": {"discovery": "EXTERNAL"}, "title": "Use-after-free in Linux kernel's net/sched: cls_fw component", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:08:49.975Z"}, "title": "CVE Program Container", "references": [{"tags": ["patch", "x_transferred"], "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=0323bce598eea038714f941ce2b22541c46d488f"}, {"url": "https://kernel.dance/0323bce598eea038714f941ce2b22541c46d488f", "tags": ["x_transferred"]}, {"url": "https://www.debian.org/security/2023/dsa-5480", "tags": ["x_transferred"]}, {"url": "https://www.debian.org/security/2023/dsa-5492", "tags": ["x_transferred"]}, {"url": "http://packetstormsecurity.com/files/175072/Kernel-Live-Patch-Security-Notice-LSN-0098-1.html", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html", "tags": ["x_transferred"]}, {"url": "http://packetstormsecurity.com/files/175963/Kernel-Live-Patch-Security-Notice-LSN-0099-1.html", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240202-0003/", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-05T18:36:21.985284Z", "id": "CVE-2023-3776", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-05T18:48:04.229Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=0323bce598eea038714f941ce2b22541c46d488f", "tags": ["patch", "x_transferred"]}, {"url": "https://kernel.dance/0323bce598eea038714f941ce2b22541c46d488f", "tags": ["x_transferred"]}, {"url": "https://www.debian.org/security/2023/dsa-5480", "tags": ["x_transferred"]}, {"url": "https://www.debian.org/security/2023/dsa-5492", "tags": ["x_transferred"]}, {"url": "http://packetstormsecurity.com/files/175072/Kernel-Live-Patch-Security-Notice-LSN-0098-1.html", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html", "tags": ["x_transferred"]}, {"url": "http://packetstormsecurity.com/files/175963/Kernel-Live-Patch-Security-Notice-LSN-0099-1.html", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240202-0003/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:08:49.975Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-3776", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-03-05T18:36:21.985284Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-05T18:36:24.013Z"}}], "cna": {"title": "Use-after-free in Linux kernel's net/sched: cls_fw component", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Muhammad Alifa Ramdhan of STAR Labs SG"}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://git.kernel.org", "vendor": "Linux", "product": "Kernel", "versions": [{"status": "affected", "version": "2.6", "lessThan": "6.5", "versionType": "custom"}], "packageName": "kernel", "defaultStatus": "unaffected"}], "datePublic": "2023-07-07T02:10:00.000Z", "references": [{"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=0323bce598eea038714f941ce2b22541c46d488f", "tags": ["patch"]}, {"url": "https://kernel.dance/0323bce598eea038714f941ce2b22541c46d488f"}, {"url": "https://www.debian.org/security/2023/dsa-5480"}, {"url": "https://www.debian.org/security/2023/dsa-5492"}, {"url": "http://packetstormsecurity.com/files/175072/Kernel-Live-Patch-Security-Notice-LSN-0098-1.html"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html"}, {"url": "http://packetstormsecurity.com/files/175963/Kernel-Live-Patch-Security-Notice-LSN-0099-1.html"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html"}, {"url": "https://security.netapp.com/advisory/ntap-20240202-0003/"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation.\n\nIf tcf_change_indev() fails, fw_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability.\n\nWe recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f.", "supportingMedia": [{"type": "text/html", "value": "A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation.If tcf_change_indev() fails, fw_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability.We recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416 Use After Free"}]}], "providerMetadata": {"orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google", "dateUpdated": "2024-02-02T14:06:25.968Z"}}}, "cveMetadata": {"cveId": "CVE-2023-3776", "state": "PUBLISHED", "dateUpdated": "2025-03-05T18:48:04.229Z", "dateReserved": "2023-07-19T15:50:20.757Z", "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "datePublished": "2023-07-21T20:49:53.667Z", "assignerShortName": "Google"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E7A8308C-F4B2-4261-B590-BCD968EF650E", "versionEndExcluding": "4.14.322", "versionStartIncluding": "2.6.12", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D2D2CA9F-4CC4-4AF5-8C6D-E58415AB782E", "versionEndExcluding": "4.19.291", "versionStartIncluding": "4.15", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "7FA663C4-CA72-4B5A-8592-7354D978F58E", "versionEndExcluding": "5.4.251", "versionStartIncluding": "4.20", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "43CAE50A-4A6C-488E-813C-F8DB77C13C8B", "versionEndExcluding": "5.10.188", "versionStartIncluding": "5.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "EC77775B-EC31-4966-966C-1286C02B2A85", "versionEndExcluding": "5.15.121", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "69315BCC-36D2-45CD-84F8-381EDF8E38F3", "versionEndExcluding": "6.1.40", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "923F6AEA-C2EF-4B08-B038-69A18F3D41F8", "versionEndExcluding": "6.4.5", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc1:*:*:*:*:*:*", "matchCriteriaId": "0B3E6E4D-E24E-4630-B00C-8C9901C597B0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*", "matchCriteriaId": "46D69DCC-AE4D-4EA5-861C-D60951444C6C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation.\n\nIf tcf_change_indev() fails, fw_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability.\n\nWe recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f."}], "id": "CVE-2023-3776", "lastModified": "2025-02-13T17:16:58.960", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "cve-coordination@google.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-07-21T21:15:11.973", "references": [{"source": "cve-coordination@google.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/175072/Kernel-Live-Patch-Security-Notice-LSN-0098-1.html"}, {"source": "cve-coordination@google.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/175963/Kernel-Live-Patch-Security-Notice-LSN-0099-1.html"}, {"source": "cve-coordination@google.com", "tags": ["Mailing List", "Patch", "Vendor Advisory"], "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=0323bce598eea038714f941ce2b22541c46d488f"}, {"source": "cve-coordination@google.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://kernel.dance/0323bce598eea038714f941ce2b22541c46d488f"}, {"source": "cve-coordination@google.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html"}, {"source": "cve-coordination@google.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html"}, {"source": "cve-coordination@google.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20240202-0003/"}, {"source": "cve-coordination@google.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2023/dsa-5480"}, {"source": "cve-coordination@google.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2023/dsa-5492"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/175072/Kernel-Live-Patch-Security-Notice-LSN-0098-1.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/175963/Kernel-Live-Patch-Security-Notice-LSN-0099-1.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch", "Vendor Advisory"], "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=0323bce598eea038714f941ce2b22541c46d488f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://kernel.dance/0323bce598eea038714f941ce2b22541c46d488f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20240202-0003/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2023/dsa-5480"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2023/dsa-5492"}], "sourceIdentifier": "cve-coordination@google.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "cve-coordination@google.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:1831", "cpe": "cpe:/o:redhat:rhel_els:6", "package": "kernel-0:2.6.32-754.53.1.el6", "product_name": "Red Hat Enterprise Linux 6 Extended Lifecycle Support", "release_date": "2024-04-16T00:00:00Z"}, {"advisory": "RHSA-2023:7424", "cpe": "cpe:/a:redhat:rhel_extras_rt:7", "package": "kernel-rt-0:3.10.0-1160.105.1.rt56.1256.el7", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2023-11-21T00:00:00Z"}, {"advisory": "RHSA-2023:7419", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "kpatch-patch", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2023-11-21T00:00:00Z"}, {"advisory": "RHSA-2023:7423", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "kernel-0:3.10.0-1160.105.1.el7", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2023-11-21T00:00:00Z"}, {"advisory": "RHSA-2023:7294", "cpe": "cpe:/o:redhat:rhel_aus:7.6", "package": "kernel-0:3.10.0-957.108.1.el7", "product_name": "Red Hat Enterprise Linux 7.6 Advanced Update Support(Disable again in 2026 - SPRHEL-7118)", "release_date": "2023-11-15T00:00:00Z"}, {"advisory": "RHSA-2024:0262", "cpe": "cpe:/o:redhat:rhel_aus:7.7", "package": "kernel-0:3.10.0-1062.82.1.el7", "product_name": "Red Hat Enterprise Linux 7.7 Advanced Update Support", "release_date": "2024-01-16T00:00:00Z"}, {"advisory": "RHSA-2023:5255", "cpe": "cpe:/a:redhat:enterprise_linux:8::nfv", "package": "kernel-rt-0:4.18.0-477.27.1.rt7.290.el8_8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-09-19T00:00:00Z"}, {"advisory": "RHSA-2023:5221", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "kpatch-patch", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-09-19T00:00:00Z"}, {"advisory": "RHSA-2023:5244", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "kernel-0:4.18.0-477.27.1.el8_8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-09-19T00:00:00Z"}, {"advisory": "RHSA-2023:6799", "cpe": "cpe:/o:redhat:rhel_e4s:8.1", "package": "kpatch-patch", "product_name": "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "release_date": "2023-11-08T00:00:00Z"}, {"advisory": "RHSA-2023:6813", "cpe": "cpe:/o:redhat:rhel_e4s:8.1", "package": "kernel-0:4.18.0-147.94.1.el8_1", "product_name": "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "release_date": "2023-11-08T00:00:00Z"}, {"advisory": "RHSA-2023:7434", "cpe": "cpe:/o:redhat:rhel_aus:8.2", "package": "kernel-0:4.18.0-193.119.1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2023-11-21T00:00:00Z"}, {"advisory": "RHSA-2023:7431", "cpe": "cpe:/a:redhat:rhel_tus:8.2::nfv", "package": "kernel-rt-0:4.18.0-193.119.1.rt13.170.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", "release_date": "2023-11-21T00:00:00Z"}, {"advisory": "RHSA-2023:7434", "cpe": "cpe:/o:redhat:rhel_tus:8.2", "package": "kernel-0:4.18.0-193.119.1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", "release_date": "2023-11-21T00:00:00Z"}, {"advisory": "RHSA-2023:7417", "cpe": "cpe:/o:redhat:rhel_e4s:8.2", "package": "kpatch-patch", "product_name": "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", "release_date": "2023-11-21T00:00:00Z"}, {"advisory": "RHSA-2023:7434", "cpe": "cpe:/o:redhat:rhel_e4s:8.2", "package": "kernel-0:4.18.0-193.119.1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", "release_date": "2023-11-21T00:00:00Z"}, {"advisory": "RHSA-2023:5628", "cpe": "cpe:/o:redhat:rhel_aus:8.4", "package": "kernel-0:4.18.0-305.108.1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2023-10-10T00:00:00Z"}, {"advisory": "RHSA-2023:5794", "cpe": "cpe:/a:redhat:rhel_tus:8.4::nfv", "package": "kernel-rt-0:4.18.0-305.108.1.rt7.183.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2023-10-17T00:00:00Z"}, {"advisory": "RHSA-2023:5628", "cpe": "cpe:/o:redhat:rhel_tus:8.4", "package": "kernel-0:4.18.0-305.108.1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2023-10-10T00:00:00Z"}, {"advisory": "RHSA-2023:5628", "cpe": "cpe:/o:redhat:rhel_e4s:8.4", "package": "kernel-0:4.18.0-305.108.1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2023-10-10T00:00:00Z"}, {"advisory": "RHSA-2023:5775", "cpe": "cpe:/o:redhat:rhel_e4s:8.4", "package": "kpatch-patch", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2023-10-17T00:00:00Z"}, {"advisory": "RHSA-2023:7398", "cpe": "cpe:/o:redhat:rhel_eus:8.6", "package": "kernel-0:4.18.0-372.80.1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2023-11-21T00:00:00Z"}, {"advisory": "RHSA-2023:7410", "cpe": "cpe:/o:redhat:rhel_eus:8.6", "package": "kpatch-patch", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2023-11-21T00:00:00Z"}, {"advisory": "RHSA-2023:5069", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-284.30.1.el9_2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-09-12T00:00:00Z"}, {"advisory": "RHSA-2023:5091", "cpe": "cpe:/a:redhat:enterprise_linux:9::nfv", "package": "kernel-rt-0:5.14.0-284.30.1.rt14.315.el9_2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-09-12T00:00:00Z"}, {"advisory": "RHSA-2023:5069", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-284.30.1.el9_2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-09-12T00:00:00Z"}, {"advisory": "RHSA-2023:5093", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "kpatch-patch", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-09-12T00:00:00Z"}, {"advisory": "RHSA-2023:7382", "cpe": "cpe:/a:redhat:rhel_eus:9.0", "package": "kernel-0:5.14.0-70.80.1.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2023-11-21T00:00:00Z"}, {"advisory": "RHSA-2023:7389", "cpe": "cpe:/a:redhat:rhel_eus:9.0::nfv", "package": "kernel-rt-0:5.14.0-70.80.1.rt21.151.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2023-11-21T00:00:00Z"}, {"advisory": "RHSA-2023:7411", "cpe": "cpe:/o:redhat:rhel_eus:9.0", "package": "kpatch-patch", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2023-11-21T00:00:00Z"}, {"advisory": "RHSA-2023:7398", "cpe": "cpe:/o:redhat:rhev_hypervisor:4.4::el8", "package": "kernel-0:4.18.0-372.80.1.el8_6", "product_name": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8", "release_date": "2023-11-21T00:00:00Z"}], "bugzilla": {"description": "kernel: net/sched: cls_fw component can be exploited as result of failure in tcf_change_indev function", "id": "2225097", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2225097"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-416", "details": ["A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation.\nIf tcf_change_indev() fails, fw_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability.\nWe recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f.", "A use-after-free vulnerability was found in fw_set_parms in net/sched/cls_fw.c in network scheduler sub-component in the Linux Kernel. This issue occurs due to a missing sanity check during cleanup at the time of failure, leading to a misleading reference. This may allow a local attacker to gain local privilege escalation."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, prevent module cls_fw from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically."}, "name": "CVE-2023-3776", "public_date": "2023-07-06T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-3776\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-3776\nhttps://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=0323bce598eea038714f941ce2b22541c46d488f"], "threat_severity": "Important"}

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object