CVE-2023-4623 - Vulnerability Details

A use-after-free vulnerability in the Linux kernel's net/sched: sch_hfsc (HFSC qdisc traffic control) component can be exploited to achieve local privilege escalation. If a class with a link-sharing curve (i.e. with the HFSC_FSC flag set) has a parent without a link-sharing curve, then init_vf() will call vttree_insert() on the parent, but vttree_remove() will be skipped in update_vf(). This leaves a dangling pointer that can cause a use-after-free. We recommend upgrading past commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Debian	Debian Linux
Linux	Linux Kernel
Redhat	Enterprise Linux Rhel Aus Rhel E4s Rhel Eus Rhel Extras Rt Rhel Tus Rhev Hypervisor

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 7
kernel-rt-0:3.10.0-1160.118.1.rt56.1269.el7	cpe:/a:redhat:rhel_extras_rt:7	RHSA-2024:2003	2024-04-23T00:00:00Z
kpatch-patch	cpe:/o:redhat:enterprise_linux:7	RHSA-2024:1960	2024-04-23T00:00:00Z
kernel-0:3.10.0-1160.118.1.el7	cpe:/o:redhat:enterprise_linux:7	RHSA-2024:2004	2024-04-23T00:00:00Z
Red Hat Enterprise Linux 7.6 Advanced Update Support(Disable again in 2026 - SPRHEL-7118)
kernel-0:3.10.0-957.112.1.el7	cpe:/o:redhat:rhel_aus:7.6	RHSA-2024:1747	2024-04-10T00:00:00Z
Red Hat Enterprise Linux 7.7 Advanced Update Support
kernel-0:3.10.0-1062.87.1.el7	cpe:/o:redhat:rhel_aus:7.7	RHSA-2024:1746	2024-04-10T00:00:00Z
Red Hat Enterprise Linux 8
kernel-rt-0:4.18.0-513.18.1.rt7.320.el8_9	cpe:/a:redhat:enterprise_linux:8::nfv	RHSA-2024:0881	2024-02-20T00:00:00Z
kpatch-patch	cpe:/o:redhat:enterprise_linux:8	RHSA-2024:0876	2024-02-20T00:00:00Z
kernel-0:4.18.0-513.18.1.el8_9	cpe:/o:redhat:enterprise_linux:8	RHSA-2024:0897	2024-02-20T00:00:00Z
Red Hat Enterprise Linux 8.2 Advanced Update Support
kernel-0:4.18.0-193.128.1.el8_2	cpe:/o:redhat:rhel_aus:8.2	RHSA-2024:1268	2024-03-12T00:00:00Z
Red Hat Enterprise Linux 8.2 Telecommunications Update Service
kernel-rt-0:4.18.0-193.128.1.rt13.179.el8_2	cpe:/a:redhat:rhel_tus:8.2::nfv	RHSA-2024:1269	2024-03-12T00:00:00Z
kernel-0:4.18.0-193.128.1.el8_2	cpe:/o:redhat:rhel_tus:8.2	RHSA-2024:1268	2024-03-12T00:00:00Z
Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
kernel-0:4.18.0-193.128.1.el8_2	cpe:/o:redhat:rhel_e4s:8.2	RHSA-2024:1268	2024-03-12T00:00:00Z
kpatch-patch	cpe:/o:redhat:rhel_e4s:8.2	RHSA-2024:1278	2024-03-12T00:00:00Z
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
kernel-0:4.18.0-305.120.1.el8_4	cpe:/o:redhat:rhel_aus:8.4	RHSA-2024:0562	2024-01-30T00:00:00Z
Red Hat Enterprise Linux 8.4 Telecommunications Update Service
kernel-rt-0:4.18.0-305.120.1.rt7.196.el8_4	cpe:/a:redhat:rhel_tus:8.4::nfv	RHSA-2024:0563	2024-01-30T00:00:00Z
kernel-0:4.18.0-305.120.1.el8_4	cpe:/o:redhat:rhel_tus:8.4	RHSA-2024:0562	2024-01-30T00:00:00Z
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
kernel-0:4.18.0-305.120.1.el8_4	cpe:/o:redhat:rhel_e4s:8.4	RHSA-2024:0562	2024-01-30T00:00:00Z
kpatch-patch	cpe:/o:redhat:rhel_e4s:8.4	RHSA-2024:0593	2024-01-30T00:00:00Z
Red Hat Enterprise Linux 8.6 Extended Update Support
kpatch-patch	cpe:/o:redhat:rhel_eus:8.6	RHSA-2024:0378	2024-01-23T00:00:00Z
kernel-0:4.18.0-372.87.1.el8_6	cpe:/o:redhat:rhel_eus:8.6	RHSA-2024:0412	2024-01-25T00:00:00Z
Red Hat Enterprise Linux 8.8 Extended Update Support
kpatch-patch	cpe:/o:redhat:rhel_eus:8.8	RHSA-2024:0554	2024-01-30T00:00:00Z
kernel-0:4.18.0-477.43.1.el8_8	cpe:/o:redhat:rhel_eus:8.8	RHSA-2024:0575	2024-01-30T00:00:00Z
Red Hat Enterprise Linux 9
kernel-0:5.14.0-362.18.1.el9_3	cpe:/a:redhat:enterprise_linux:9	RHSA-2024:0461	2024-01-25T00:00:00Z
kpatch-patch	cpe:/o:redhat:enterprise_linux:9	RHSA-2024:0340	2024-01-23T00:00:00Z
kernel-0:5.14.0-362.18.1.el9_3	cpe:/o:redhat:enterprise_linux:9	RHSA-2024:0461	2024-01-25T00:00:00Z
Red Hat Enterprise Linux 9.0 Extended Update Support
kernel-0:5.14.0-70.85.1.el9_0	cpe:/a:redhat:rhel_eus:9.0	RHSA-2024:0432	2024-01-25T00:00:00Z
kernel-rt-0:5.14.0-70.85.1.rt21.156.el9_0	cpe:/a:redhat:rhel_eus:9.0::nfv	RHSA-2024:0431	2024-01-25T00:00:00Z
kpatch-patch	cpe:/o:redhat:rhel_eus:9.0	RHSA-2024:0386	2024-01-24T00:00:00Z
Red Hat Enterprise Linux 9.2 Extended Update Support
kernel-0:5.14.0-284.48.1.el9_2	cpe:/a:redhat:rhel_eus:9.2	RHSA-2024:0448	2024-01-25T00:00:00Z
kernel-rt-0:5.14.0-284.48.1.rt14.333.el9_2	cpe:/a:redhat:rhel_eus:9.2::nfv	RHSA-2024:0439	2024-01-25T00:00:00Z
kpatch-patch	cpe:/o:redhat:rhel_eus:9.2	RHSA-2024:0381	2024-01-23T00:00:00Z
Red Hat Virtualization 4 for Red Hat Enterprise Linux 8
kernel-0:4.18.0-372.87.1.el8_6	cpe:/o:redhat:rhev_hypervisor:4.4::el8	RHSA-2024:0412	2024-01-25T00:00:00Z

References

Link	Providers
http://packetstormsecurity.com/files/175963/Kernel-Live-Patch-Security-Notice-LSN-0099-1.html
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b3d26c5702c7d6c45456326e56d2ccf3f103e60f
https://kernel.dance/b3d26c5702c7d6c45456326e56d2ccf3f103e60f
https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html
https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html
https://nvd.nist.gov/vuln/detail/CVE-2023-4623
https://www.cve.org/CVERecord?id=CVE-2023-4623

History

Tue, 04 Mar 2025 03:45:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 13 Feb 2025 17:30:00 +0000

Type	Values Removed	Values Added
Description	A use-after-free vulnerability in the Linux kernel's net/sched: sch_hfsc (HFSC qdisc traffic control) component can be exploited to achieve local privilege escalation. If a class with a link-sharing curve (i.e. with the HFSC_FSC flag set) has a parent without a link-sharing curve, then init_vf() will call vttree_insert() on the parent, but vttree_remove() will be skipped in update_vf(). This leaves a dangling pointer that can cause a use-after-free. We recommend upgrading past commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f.	A use-after-free vulnerability in the Linux kernel's net/sched: sch_hfsc (HFSC qdisc traffic control) component can be exploited to achieve local privilege escalation. If a class with a link-sharing curve (i.e. with the HFSC_FSC flag set) has a parent without a link-sharing curve, then init_vf() will call vttree_insert() on the parent, but vttree_remove() will be skipped in update_vf(). This leaves a dangling pointer that can cause a use-after-free. We recommend upgrading past commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f.

MITRE

Status: PUBLISHED

Assigner: Google

Published: 2023-09-06T13:56:57.295Z

Updated: 2025-02-27T21:00:32.991Z

Reserved: 2023-08-30T11:58:12.267Z

Link: CVE-2023-4623

Vulnrichment

Updated: 2024-08-02T07:31:06.625Z

NVD

Status : Analyzed

Published: 2023-09-06T14:15:12.357

Modified: 2025-03-20T16:59:51.550

Link: CVE-2023-4623

Redhat

Severity : Important

Publid Date: 2023-09-06T00:00:00Z

Links: CVE-2023-4623 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-4623", "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "state": "PUBLISHED", "assignerShortName": "Google", "dateReserved": "2023-08-30T11:58:12.267Z", "datePublished": "2023-09-06T13:56:57.295Z", "dateUpdated": "2025-02-27T21:00:32.991Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google", "dateUpdated": "2024-01-11T19:06:55.765Z"}, "title": "Use-after-free in Linux kernel's net/sched: sch_hfsc (HFSC qdisc traffic control) component", "datePublic": "2023-08-26T01:57:54.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-416", "description": "CWE-416 Use After Free", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "affected": [{"vendor": "Linux", "product": "Kernel", "packageName": "kernel", "repo": "https://git.kernel.org", "versions": [{"status": "affected", "version": "2.6.12", "lessThan": "6.6", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A use-after-free vulnerability in the Linux kernel's net/sched: sch_hfsc (HFSC qdisc traffic control) component can be exploited to achieve local privilege escalation.\n\nIf a class with a link-sharing curve (i.e. with the HFSC_FSC flag set) has a parent without a link-sharing curve, then init_vf() will call vttree_insert() on the parent, but vttree_remove() will be skipped in update_vf(). This leaves a dangling pointer that can cause a use-after-free.\n\nWe recommend upgrading past commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f."}], "references": [{"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b3d26c5702c7d6c45456326e56d2ccf3f103e60f", "tags": ["patch"]}, {"url": "https://kernel.dance/b3d26c5702c7d6c45456326e56d2ccf3f103e60f"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html"}, {"url": "http://packetstormsecurity.com/files/175963/Kernel-Live-Patch-Security-Notice-LSN-0099-1.html"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "credits": [{"lang": "en", "value": "Budimir Markovic", "user": "00000000-0000-4000-9000-000000000000", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:31:06.625Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b3d26c5702c7d6c45456326e56d2ccf3f103e60f", "tags": ["patch", "x_transferred"]}, {"url": "https://kernel.dance/b3d26c5702c7d6c45456326e56d2ccf3f103e60f", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html", "tags": ["x_transferred"]}, {"url": "http://packetstormsecurity.com/files/175963/Kernel-Live-Patch-Security-Notice-LSN-0099-1.html", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-26T21:52:35.435762Z", "id": "CVE-2023-4623", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-27T21:00:32.991Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-4623", "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "state": "PUBLISHED", "assignerShortName": "Google", "dateReserved": "2023-08-30T11:58:12.267Z", "datePublished": "2023-09-06T13:56:57.295Z", "dateUpdated": "2025-02-27T21:00:32.991Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google", "dateUpdated": "2024-01-11T19:06:55.765Z"}, "title": "Use-after-free in Linux kernel's net/sched: sch_hfsc (HFSC qdisc traffic control) component", "datePublic": "2023-08-26T01:57:54.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-416", "description": "CWE-416 Use After Free", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "affected": [{"vendor": "Linux", "product": "Kernel", "packageName": "kernel", "repo": "https://git.kernel.org", "versions": [{"status": "affected", "version": "2.6.12", "lessThan": "6.6", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A use-after-free vulnerability in the Linux kernel's net/sched: sch_hfsc (HFSC qdisc traffic control) component can be exploited to achieve local privilege escalation.\n\nIf a class with a link-sharing curve (i.e. with the HFSC_FSC flag set) has a parent without a link-sharing curve, then init_vf() will call vttree_insert() on the parent, but vttree_remove() will be skipped in update_vf(). This leaves a dangling pointer that can cause a use-after-free.\n\nWe recommend upgrading past commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f."}], "references": [{"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b3d26c5702c7d6c45456326e56d2ccf3f103e60f", "tags": ["patch"]}, {"url": "https://kernel.dance/b3d26c5702c7d6c45456326e56d2ccf3f103e60f"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html"}, {"url": "http://packetstormsecurity.com/files/175963/Kernel-Live-Patch-Security-Notice-LSN-0099-1.html"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "credits": [{"lang": "en", "value": "Budimir Markovic", "user": "00000000-0000-4000-9000-000000000000", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:31:06.625Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b3d26c5702c7d6c45456326e56d2ccf3f103e60f", "tags": ["patch", "x_transferred"]}, {"url": "https://kernel.dance/b3d26c5702c7d6c45456326e56d2ccf3f103e60f", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html", "tags": ["x_transferred"]}, {"url": "http://packetstormsecurity.com/files/175963/Kernel-Live-Patch-Security-Notice-LSN-0099-1.html", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html", "tags": ["x_transferred"]}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-4623", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-26T21:52:35.435762Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-26T20:38:23.976Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "97B268FE-B571-4275-BB68-92D593881C9E", "versionEndExcluding": "4.14.327", "versionStartIncluding": "2.6.12", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D419C7D6-F33D-4EF8-8950-1CB5DDF6A55D", "versionEndExcluding": "4.19.295", "versionStartIncluding": "4.15", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "834BD148-28EC-43A4-A4F5-458124A1E39F", "versionEndExcluding": "5.4.257", "versionStartIncluding": "4.20", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C385B650-53DB-4BFB-83D1-1D8FADF653EF", "versionEndExcluding": "5.10.195", "versionStartIncluding": "5.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "5913891D-409A-4EEC-9231-F2EF5A493BC7", "versionEndExcluding": "5.15.132", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B20754AF-3B8C-4574-A70D-EC24933810E5", "versionEndExcluding": "6.1.53", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C3039EA3-F6CA-43EF-9F17-81A7EC6841EF", "versionEndExcluding": "6.4.16", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "880C803A-BEAE-4DA0-8A59-AC023F7B4EE3", "versionEndExcluding": "6.5.3", "versionStartIncluding": "6.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A use-after-free vulnerability in the Linux kernel's net/sched: sch_hfsc (HFSC qdisc traffic control) component can be exploited to achieve local privilege escalation.\n\nIf a class with a link-sharing curve (i.e. with the HFSC_FSC flag set) has a parent without a link-sharing curve, then init_vf() will call vttree_insert() on the parent, but vttree_remove() will be skipped in update_vf(). This leaves a dangling pointer that can cause a use-after-free.\n\nWe recommend upgrading past commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f."}, {"lang": "es", "value": "Una vulnerabilidad de Use After Free en el componente net/sched: sch_hfsc (HFSC qdisc traffic control) del kernel de Linux puede ser explotada para conseguir una escalada local de privilegios. Si una clase con una curva de compartici\u00f3n de enlaces (es decir, con la flag HFSC_FSC establecida) tiene un padre sin una curva de compartici\u00f3n de enlaces, entonces init_vf() llamar\u00e1 a vttree_insert() en el padre, pero vttree_remove() se omitir\u00e1 en update_vf(). Esto deja un puntero colgando que puede causar un Use-After-Free. Recomendamos actualizar desde el commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f. "}], "id": "CVE-2023-4623", "lastModified": "2025-03-20T16:59:51.550", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "cve-coordination@google.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-09-06T14:15:12.357", "references": [{"source": "cve-coordination@google.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/175963/Kernel-Live-Patch-Security-Notice-LSN-0099-1.html"}, {"source": "cve-coordination@google.com", "tags": ["Issue Tracking", "Mailing List", "Patch", "Vendor Advisory"], "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b3d26c5702c7d6c45456326e56d2ccf3f103e60f"}, {"source": "cve-coordination@google.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://kernel.dance/b3d26c5702c7d6c45456326e56d2ccf3f103e60f"}, {"source": "cve-coordination@google.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html"}, {"source": "cve-coordination@google.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/175963/Kernel-Live-Patch-Security-Notice-LSN-0099-1.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Mailing List", "Patch", "Vendor Advisory"], "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b3d26c5702c7d6c45456326e56d2ccf3f103e60f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://kernel.dance/b3d26c5702c7d6c45456326e56d2ccf3f103e60f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html"}], "sourceIdentifier": "cve-coordination@google.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "cve-coordination@google.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:2003", "cpe": "cpe:/a:redhat:rhel_extras_rt:7", "package": "kernel-rt-0:3.10.0-1160.118.1.rt56.1269.el7", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2024-04-23T00:00:00Z"}, {"advisory": "RHSA-2024:1960", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "kpatch-patch", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2024-04-23T00:00:00Z"}, {"advisory": "RHSA-2024:2004", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "kernel-0:3.10.0-1160.118.1.el7", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2024-04-23T00:00:00Z"}, {"advisory": "RHSA-2024:1747", "cpe": "cpe:/o:redhat:rhel_aus:7.6", "package": "kernel-0:3.10.0-957.112.1.el7", "product_name": "Red Hat Enterprise Linux 7.6 Advanced Update Support(Disable again in 2026 - SPRHEL-7118)", "release_date": "2024-04-10T00:00:00Z"}, {"advisory": "RHSA-2024:1746", "cpe": "cpe:/o:redhat:rhel_aus:7.7", "package": "kernel-0:3.10.0-1062.87.1.el7", "product_name": "Red Hat Enterprise Linux 7.7 Advanced Update Support", "release_date": "2024-04-10T00:00:00Z"}, {"advisory": "RHSA-2024:0881", "cpe": "cpe:/a:redhat:enterprise_linux:8::nfv", "package": "kernel-rt-0:4.18.0-513.18.1.rt7.320.el8_9", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-02-20T00:00:00Z"}, {"advisory": "RHSA-2024:0876", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "kpatch-patch", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-02-20T00:00:00Z"}, {"advisory": "RHSA-2024:0897", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "kernel-0:4.18.0-513.18.1.el8_9", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-02-20T00:00:00Z"}, {"advisory": "RHSA-2024:1268", "cpe": "cpe:/o:redhat:rhel_aus:8.2", "package": "kernel-0:4.18.0-193.128.1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2024-03-12T00:00:00Z"}, {"advisory": "RHSA-2024:1269", "cpe": "cpe:/a:redhat:rhel_tus:8.2::nfv", "package": "kernel-rt-0:4.18.0-193.128.1.rt13.179.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", "release_date": "2024-03-12T00:00:00Z"}, {"advisory": "RHSA-2024:1268", "cpe": "cpe:/o:redhat:rhel_tus:8.2", "package": "kernel-0:4.18.0-193.128.1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", "release_date": "2024-03-12T00:00:00Z"}, {"advisory": "RHSA-2024:1268", "cpe": "cpe:/o:redhat:rhel_e4s:8.2", "package": "kernel-0:4.18.0-193.128.1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", "release_date": "2024-03-12T00:00:00Z"}, {"advisory": "RHSA-2024:1278", "cpe": "cpe:/o:redhat:rhel_e4s:8.2", "package": "kpatch-patch", "product_name": "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", "release_date": "2024-03-12T00:00:00Z"}, {"advisory": "RHSA-2024:0562", "cpe": "cpe:/o:redhat:rhel_aus:8.4", "package": "kernel-0:4.18.0-305.120.1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2024-01-30T00:00:00Z"}, {"advisory": "RHSA-2024:0563", "cpe": "cpe:/a:redhat:rhel_tus:8.4::nfv", "package": "kernel-rt-0:4.18.0-305.120.1.rt7.196.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2024-01-30T00:00:00Z"}, {"advisory": "RHSA-2024:0562", "cpe": "cpe:/o:redhat:rhel_tus:8.4", "package": "kernel-0:4.18.0-305.120.1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2024-01-30T00:00:00Z"}, {"advisory": "RHSA-2024:0562", "cpe": "cpe:/o:redhat:rhel_e4s:8.4", "package": "kernel-0:4.18.0-305.120.1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2024-01-30T00:00:00Z"}, {"advisory": "RHSA-2024:0593", "cpe": "cpe:/o:redhat:rhel_e4s:8.4", "package": "kpatch-patch", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2024-01-30T00:00:00Z"}, {"advisory": "RHSA-2024:0378", "cpe": "cpe:/o:redhat:rhel_eus:8.6", "package": "kpatch-patch", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2024-01-23T00:00:00Z"}, {"advisory": "RHSA-2024:0412", "cpe": "cpe:/o:redhat:rhel_eus:8.6", "package": "kernel-0:4.18.0-372.87.1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2024-01-25T00:00:00Z"}, {"advisory": "RHSA-2024:0554", "cpe": "cpe:/o:redhat:rhel_eus:8.8", "package": "kpatch-patch", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-01-30T00:00:00Z"}, {"advisory": "RHSA-2024:0575", "cpe": "cpe:/o:redhat:rhel_eus:8.8", "package": "kernel-0:4.18.0-477.43.1.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-01-30T00:00:00Z"}, {"advisory": "RHSA-2024:0461", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-362.18.1.el9_3", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-01-25T00:00:00Z"}, {"advisory": "RHSA-2024:0340", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "kpatch-patch", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-01-23T00:00:00Z"}, {"advisory": "RHSA-2024:0461", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-362.18.1.el9_3", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-01-25T00:00:00Z"}, {"advisory": "RHSA-2024:0432", "cpe": "cpe:/a:redhat:rhel_eus:9.0", "package": "kernel-0:5.14.0-70.85.1.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2024-01-25T00:00:00Z"}, {"advisory": "RHSA-2024:0431", "cpe": "cpe:/a:redhat:rhel_eus:9.0::nfv", "package": "kernel-rt-0:5.14.0-70.85.1.rt21.156.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2024-01-25T00:00:00Z"}, {"advisory": "RHSA-2024:0386", "cpe": "cpe:/o:redhat:rhel_eus:9.0", "package": "kpatch-patch", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2024-01-24T00:00:00Z"}, {"advisory": "RHSA-2024:0448", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "kernel-0:5.14.0-284.48.1.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-01-25T00:00:00Z"}, {"advisory": "RHSA-2024:0439", "cpe": "cpe:/a:redhat:rhel_eus:9.2::nfv", "package": "kernel-rt-0:5.14.0-284.48.1.rt14.333.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-01-25T00:00:00Z"}, {"advisory": "RHSA-2024:0381", "cpe": "cpe:/o:redhat:rhel_eus:9.2", "package": "kpatch-patch", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-01-23T00:00:00Z"}, {"advisory": "RHSA-2024:0412", "cpe": "cpe:/o:redhat:rhev_hypervisor:4.4::el8", "package": "kernel-0:4.18.0-372.87.1.el8_6", "product_name": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8", "release_date": "2024-01-25T00:00:00Z"}], "bugzilla": {"description": "kernel: net/sched: sch_hfsc UAF", "id": "2237757", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2237757"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-416", "details": ["A use-after-free vulnerability in the Linux kernel's net/sched: sch_hfsc (HFSC qdisc traffic control) component can be exploited to achieve local privilege escalation.\nIf a class with a link-sharing curve (i.e. with the HFSC_FSC flag set) has a parent without a link-sharing curve, then init_vf() will call vttree_insert() on the parent, but vttree_remove() will be skipped in update_vf(). This leaves a dangling pointer that can cause a use-after-free.\nWe recommend upgrading past commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f.", "A use-after-free flaw was found in the Linux kernel's net/sched: sch_hfsc (HFSC qdisc traffic control) component that can be exploited to achieve local privilege escalation. If a class with a link-sharing curve, for example, with the HFSC_FSC flag set, has a parent without a link-sharing curve, then init_vf() will call vttree_insert() on the parent, but vttree_remove() will be skipped in update_vf(). This leaves a dangling pointer that can cause a use-after-free issue."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, prevent the module sch_hfsc from being loaded by blacklisting the module to prevent it from loading automatically. \n~~~\nhttps://access.redhat.com/solutions/41278 \n~~~"}, "name": "CVE-2023-4623", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2023-09-06T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-4623\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-4623\nhttps://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b3d26c5702c7d6c45456326e56d2ccf3f103e60f"], "threat_severity": "Important"}

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object