CVE-2023-52439 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved: uio: Fix use-after-free in uio_open core-1 core-2 ------------------------------------------------------- uio_unregister_device uio_open idev = idr_find() device_unregister(&idev->dev) put_device(&idev->dev) uio_device_release get_device(&idev->dev) kfree(idev) uio_free_minor(minor) uio_release put_device(&idev->dev) kfree(idev) ------------------------------------------------------- In the core-1 uio_unregister_device(), the device_unregister will kfree idev when the idev->dev kobject ref is 1. But after core-1 device_unregister, put_device and before doing kfree, the core-2 may get_device. Then: 1. After core-1 kfree idev, the core-2 will do use-after-free for idev. 2. When core-2 do uio_release and put_device, the idev will be double freed. To address this issue, we can get idev atomic & inc idev reference with minor_lock.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Linux	Linux Kernel
Redhat	Enterprise Linux Rhel Aus Rhel E4s Rhel Eus Rhel Tus

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:4.18:-::::::
	cpe:2.3:o:linux:linux_kernel:4.18:rc5::::::
	cpe:2.3:o:linux:linux_kernel:4.18:rc6::::::
	cpe:2.3:o:linux:linux_kernel:4.18:rc7::::::
	cpe:2.3:o:linux:linux_kernel:4.18:rc8::::::

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 8
kernel-rt-0:4.18.0-553.5.1.rt7.346.el8_10	cpe:/a:redhat:enterprise_linux:8::nfv	RHSA-2024:3627	2024-06-05T00:00:00Z
kernel-0:4.18.0-553.5.1.el8_10	cpe:/o:redhat:enterprise_linux:8	RHSA-2024:3618	2024-06-05T00:00:00Z
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
kernel-0:4.18.0-372.118.1.el8_6	cpe:/o:redhat:rhel_aus:8.6	RHSA-2024:5281	2024-08-13T00:00:00Z
Red Hat Enterprise Linux 8.6 Telecommunications Update Service
kernel-0:4.18.0-372.118.1.el8_6	cpe:/o:redhat:rhel_tus:8.6	RHSA-2024:5281	2024-08-13T00:00:00Z
Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
kernel-0:4.18.0-372.118.1.el8_6	cpe:/o:redhat:rhel_e4s:8.6	RHSA-2024:5281	2024-08-13T00:00:00Z
Red Hat Enterprise Linux 8.8 Extended Update Support
kernel-0:4.18.0-477.74.1.el8_8	cpe:/o:redhat:rhel_eus:8.8	RHSA-2024:6993	2024-09-24T00:00:00Z
Red Hat Enterprise Linux 9
kernel-0:5.14.0-427.37.1.el9_4	cpe:/a:redhat:enterprise_linux:9	RHSA-2024:6997	2024-09-24T00:00:00Z
kernel-0:5.14.0-427.37.1.el9_4	cpe:/o:redhat:enterprise_linux:9	RHSA-2024:6997	2024-09-24T00:00:00Z
Red Hat Enterprise Linux 9.2 Extended Update Support
kernel-0:5.14.0-284.75.1.el9_2	cpe:/a:redhat:rhel_eus:9.2	RHSA-2024:4823	2024-07-24T00:00:00Z
kernel-rt-0:5.14.0-284.75.1.rt14.360.el9_2	cpe:/a:redhat:rhel_eus:9.2::nfv	RHSA-2024:4831	2024-07-24T00:00:00Z

References

Link	Providers
https://git.kernel.org/stable/c/0c9ae0b8605078eafc3bea053cc78791e97ba2e2
https://git.kernel.org/stable/c/17a8519cb359c3b483fb5c7367efa9a8a508bdea
https://git.kernel.org/stable/c/3174e0f7de1ba392dc191625da83df02d695b60c
https://git.kernel.org/stable/c/35f102607054faafe78d2a6994b18d5d9d6e92ad
https://git.kernel.org/stable/c/5cf604ee538ed0c467abe3b4cda5308a6398f0f7
https://git.kernel.org/stable/c/5e0be1229ae199ebb90b33102f74a0f22d152570
https://git.kernel.org/stable/c/913205930da6213305616ac539447702eaa85e41
https://git.kernel.org/stable/c/e93da893d52d82d57fc0db2ca566024e0f26ff50
https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
https://lore.kernel.org/linux-cve-announce/2024022026-wobbling-jumbo-748e@gregkh/T/#u
https://nvd.nist.gov/vuln/detail/CVE-2023-52439
https://security.netapp.com/advisory/ntap-20241227-0006/
https://www.cve.org/CVERecord?id=CVE-2023-52439

History

Fri, 27 Dec 2024 16:45:00 +0000

Type	Values Removed	Values Added
References		https://security.netapp.com/advisory/ntap-20241227-0006/

Fri, 22 Nov 2024 12:00:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html

Mon, 04 Nov 2024 13:45:00 +0000

Type	Values Removed	Values Added
References	https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html

Tue, 24 Sep 2024 11:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:enterprise_linux:9 cpe:/o:redhat:enterprise_linux:9 cpe:/o:redhat:rhel_eus:8.8

Wed, 11 Sep 2024 13:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 13 Aug 2024 23:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Aus Redhat rhel E4s Redhat rhel Tus
CPEs		cpe:/o:redhat:rhel_aus:8.6 cpe:/o:redhat:rhel_e4s:8.6 cpe:/o:redhat:rhel_tus:8.6
Vendors & Products		Redhat rhel Aus Redhat rhel E4s Redhat rhel Tus

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-02-20T18:34:49.323Z

Updated: 2025-05-04T12:49:00.841Z

Reserved: 2024-02-20T12:30:33.291Z

Link: CVE-2023-52439

Vulnrichment

Updated: 2024-12-27T16:03:00.894Z

NVD

Status : Modified

Published: 2024-02-20T21:15:08.213

Modified: 2024-12-27T16:15:23.080

Link: CVE-2023-52439

Redhat

Severity : Moderate

Publid Date: 2024-02-20T00:00:00Z

Links: CVE-2023-52439 - Bugzilla

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2023-52439", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-02-20T12:30:33.291Z", "datePublished": "2024-02-20T18:34:49.323Z", "dateUpdated": "2025-05-04T12:49:00.841Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T12:49:00.841Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nuio: Fix use-after-free in uio_open\n\ncore-1\t\t\t\tcore-2\n-------------------------------------------------------\nuio_unregister_device\t\tuio_open\n\t\t\t\tidev = idr_find()\ndevice_unregister(&idev->dev)\nput_device(&idev->dev)\nuio_device_release\n\t\t\t\tget_device(&idev->dev)\nkfree(idev)\nuio_free_minor(minor)\n\t\t\t\tuio_release\n\t\t\t\tput_device(&idev->dev)\n\t\t\t\tkfree(idev)\n-------------------------------------------------------\n\nIn the core-1 uio_unregister_device(), the device_unregister will kfree\nidev when the idev->dev kobject ref is 1. But after core-1\ndevice_unregister, put_device and before doing kfree, the core-2 may\nget_device. Then:\n1. After core-1 kfree idev, the core-2 will do use-after-free for idev.\n2. When core-2 do uio_release and put_device, the idev will be double\n freed.\n\nTo address this issue, we can get idev atomic & inc idev reference with\nminor_lock."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/uio/uio.c"], "versions": [{"version": "57c5f4df0a5a0ee83df799991251e2ee93a5e4e9", "lessThan": "3174e0f7de1ba392dc191625da83df02d695b60c", "status": "affected", "versionType": "git"}, {"version": "57c5f4df0a5a0ee83df799991251e2ee93a5e4e9", "lessThan": "e93da893d52d82d57fc0db2ca566024e0f26ff50", "status": "affected", "versionType": "git"}, {"version": "57c5f4df0a5a0ee83df799991251e2ee93a5e4e9", "lessThan": "5e0be1229ae199ebb90b33102f74a0f22d152570", "status": "affected", "versionType": "git"}, {"version": "57c5f4df0a5a0ee83df799991251e2ee93a5e4e9", "lessThan": "5cf604ee538ed0c467abe3b4cda5308a6398f0f7", "status": "affected", "versionType": "git"}, {"version": "57c5f4df0a5a0ee83df799991251e2ee93a5e4e9", "lessThan": "17a8519cb359c3b483fb5c7367efa9a8a508bdea", "status": "affected", "versionType": "git"}, {"version": "57c5f4df0a5a0ee83df799991251e2ee93a5e4e9", "lessThan": "35f102607054faafe78d2a6994b18d5d9d6e92ad", "status": "affected", "versionType": "git"}, {"version": "57c5f4df0a5a0ee83df799991251e2ee93a5e4e9", "lessThan": "913205930da6213305616ac539447702eaa85e41", "status": "affected", "versionType": "git"}, {"version": "57c5f4df0a5a0ee83df799991251e2ee93a5e4e9", "lessThan": "0c9ae0b8605078eafc3bea053cc78791e97ba2e2", "status": "affected", "versionType": "git"}, {"version": "13af019c87f2d90e663742cb1a819834048842ae", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/uio/uio.c"], "versions": [{"version": "4.18", "status": "affected"}, {"version": "0", "lessThan": "4.18", "status": "unaffected", "versionType": "semver"}, {"version": "4.19.306", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.268", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.209", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.148", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.74", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.13", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.7.1", "lessThanOrEqual": "6.7.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.8", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.18", "versionEndExcluding": "4.19.306"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.18", "versionEndExcluding": "5.4.268"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.18", "versionEndExcluding": "5.10.209"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.18", "versionEndExcluding": "5.15.148"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.18", "versionEndExcluding": "6.1.74"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.18", "versionEndExcluding": "6.6.13"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.18", "versionEndExcluding": "6.7.1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.18", "versionEndExcluding": "6.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.14.100"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/3174e0f7de1ba392dc191625da83df02d695b60c"}, {"url": "https://git.kernel.org/stable/c/e93da893d52d82d57fc0db2ca566024e0f26ff50"}, {"url": "https://git.kernel.org/stable/c/5e0be1229ae199ebb90b33102f74a0f22d152570"}, {"url": "https://git.kernel.org/stable/c/5cf604ee538ed0c467abe3b4cda5308a6398f0f7"}, {"url": "https://git.kernel.org/stable/c/17a8519cb359c3b483fb5c7367efa9a8a508bdea"}, {"url": "https://git.kernel.org/stable/c/35f102607054faafe78d2a6994b18d5d9d6e92ad"}, {"url": "https://git.kernel.org/stable/c/913205930da6213305616ac539447702eaa85e41"}, {"url": "https://git.kernel.org/stable/c/0c9ae0b8605078eafc3bea053cc78791e97ba2e2"}], "title": "uio: Fix use-after-free in uio_open", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/3174e0f7de1ba392dc191625da83df02d695b60c", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/e93da893d52d82d57fc0db2ca566024e0f26ff50", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/5e0be1229ae199ebb90b33102f74a0f22d152570", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/5cf604ee538ed0c467abe3b4cda5308a6398f0f7", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/17a8519cb359c3b483fb5c7367efa9a8a508bdea", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/35f102607054faafe78d2a6994b18d5d9d6e92ad", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/913205930da6213305616ac539447702eaa85e41", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/0c9ae0b8605078eafc3bea053cc78791e97ba2e2", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20241227-0006/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-12-27T16:03:00.894Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-52439", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T16:02:55.773038Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:33:35.621Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/3174e0f7de1ba392dc191625da83df02d695b60c", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/e93da893d52d82d57fc0db2ca566024e0f26ff50", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/5e0be1229ae199ebb90b33102f74a0f22d152570", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/5cf604ee538ed0c467abe3b4cda5308a6398f0f7", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/17a8519cb359c3b483fb5c7367efa9a8a508bdea", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/35f102607054faafe78d2a6994b18d5d9d6e92ad", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/913205930da6213305616ac539447702eaa85e41", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/0c9ae0b8605078eafc3bea053cc78791e97ba2e2", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20241227-0006/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-12-27T16:03:00.894Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-52439", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T16:02:55.773038Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:17.509Z"}}], "cna": {"title": "uio: Fix use-after-free in uio_open", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "57c5f4df0a5a0ee83df799991251e2ee93a5e4e9", "lessThan": "3174e0f7de1ba392dc191625da83df02d695b60c", "versionType": "git"}, {"status": "affected", "version": "57c5f4df0a5a0ee83df799991251e2ee93a5e4e9", "lessThan": "e93da893d52d82d57fc0db2ca566024e0f26ff50", "versionType": "git"}, {"status": "affected", "version": "57c5f4df0a5a0ee83df799991251e2ee93a5e4e9", "lessThan": "5e0be1229ae199ebb90b33102f74a0f22d152570", "versionType": "git"}, {"status": "affected", "version": "57c5f4df0a5a0ee83df799991251e2ee93a5e4e9", "lessThan": "5cf604ee538ed0c467abe3b4cda5308a6398f0f7", "versionType": "git"}, {"status": "affected", "version": "57c5f4df0a5a0ee83df799991251e2ee93a5e4e9", "lessThan": "17a8519cb359c3b483fb5c7367efa9a8a508bdea", "versionType": "git"}, {"status": "affected", "version": "57c5f4df0a5a0ee83df799991251e2ee93a5e4e9", "lessThan": "35f102607054faafe78d2a6994b18d5d9d6e92ad", "versionType": "git"}, {"status": "affected", "version": "57c5f4df0a5a0ee83df799991251e2ee93a5e4e9", "lessThan": "913205930da6213305616ac539447702eaa85e41", "versionType": "git"}, {"status": "affected", "version": "57c5f4df0a5a0ee83df799991251e2ee93a5e4e9", "lessThan": "0c9ae0b8605078eafc3bea053cc78791e97ba2e2", "versionType": "git"}, {"status": "affected", "version": "13af019c87f2d90e663742cb1a819834048842ae", "versionType": "git"}], "programFiles": ["drivers/uio/uio.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "4.18"}, {"status": "unaffected", "version": "0", "lessThan": "4.18", "versionType": "semver"}, {"status": "unaffected", "version": "4.19.306", "versionType": "semver", "lessThanOrEqual": "4.19.*"}, {"status": "unaffected", "version": "5.4.268", "versionType": "semver", "lessThanOrEqual": "5.4.*"}, {"status": "unaffected", "version": "5.10.209", "versionType": "semver", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.15.148", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.74", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.13", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.7.1", "versionType": "semver", "lessThanOrEqual": "6.7.*"}, {"status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["drivers/uio/uio.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/3174e0f7de1ba392dc191625da83df02d695b60c"}, {"url": "https://git.kernel.org/stable/c/e93da893d52d82d57fc0db2ca566024e0f26ff50"}, {"url": "https://git.kernel.org/stable/c/5e0be1229ae199ebb90b33102f74a0f22d152570"}, {"url": "https://git.kernel.org/stable/c/5cf604ee538ed0c467abe3b4cda5308a6398f0f7"}, {"url": "https://git.kernel.org/stable/c/17a8519cb359c3b483fb5c7367efa9a8a508bdea"}, {"url": "https://git.kernel.org/stable/c/35f102607054faafe78d2a6994b18d5d9d6e92ad"}, {"url": "https://git.kernel.org/stable/c/913205930da6213305616ac539447702eaa85e41"}, {"url": "https://git.kernel.org/stable/c/0c9ae0b8605078eafc3bea053cc78791e97ba2e2"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nuio: Fix use-after-free in uio_open\n\ncore-1\t\t\t\tcore-2\n-------------------------------------------------------\nuio_unregister_device\t\tuio_open\n\t\t\t\tidev = idr_find()\ndevice_unregister(&idev->dev)\nput_device(&idev->dev)\nuio_device_release\n\t\t\t\tget_device(&idev->dev)\nkfree(idev)\nuio_free_minor(minor)\n\t\t\t\tuio_release\n\t\t\t\tput_device(&idev->dev)\n\t\t\t\tkfree(idev)\n-------------------------------------------------------\n\nIn the core-1 uio_unregister_device(), the device_unregister will kfree\nidev when the idev->dev kobject ref is 1. But after core-1\ndevice_unregister, put_device and before doing kfree, the core-2 may\nget_device. Then:\n1. After core-1 kfree idev, the core-2 will do use-after-free for idev.\n2. When core-2 do uio_release and put_device, the idev will be double\n freed.\n\nTo address this issue, we can get idev atomic & inc idev reference with\nminor_lock."}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.19.306", "versionStartIncluding": "4.18"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.4.268", "versionStartIncluding": "4.18"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.10.209", "versionStartIncluding": "4.18"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.15.148", "versionStartIncluding": "4.18"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.1.74", "versionStartIncluding": "4.18"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.6.13", "versionStartIncluding": "4.18"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.7.1", "versionStartIncluding": "4.18"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.8", "versionStartIncluding": "4.18"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionStartIncluding": "4.14.100"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T12:49:00.841Z"}}}, "cveMetadata": {"cveId": "CVE-2023-52439", "state": "PUBLISHED", "dateUpdated": "2025-05-04T12:49:00.841Z", "dateReserved": "2024-02-20T12:30:33.291Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-02-20T18:34:49.323Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "5A94A44F-4F9A-4447-AF13-47B88B4CD211", "versionEndExcluding": "4.19.306", "versionStartExcluding": "4.18.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "35ADF607-EDCA-45AB-8FB6-9F2D40D47C0C", "versionEndExcluding": "5.4.268", "versionStartIncluding": "4.20.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "5D2E4F24-2FBB-4434-8598-2B1499E566B5", "versionEndExcluding": "5.10.209", "versionStartIncluding": "5.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E25E1389-4B0F-407A-9C94-5908FF3EE88B", "versionEndExcluding": "5.15.148", "versionStartIncluding": "5.11.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "F7DD9841-CE11-470D-A285-A2E8E0F6640D", "versionEndExcluding": "6.1.74", "versionStartIncluding": "5.16.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "74A1FFC7-19FA-450E-BC2D-2BBD2EBF0A5F", "versionEndExcluding": "6.6.13", "versionStartIncluding": "6.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "664EB721-F519-48BB-B1C8-897D5990CD78", "versionEndExcluding": "6.7.1", "versionStartIncluding": "6.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:4.18:-:*:*:*:*:*:*", "matchCriteriaId": "6AE7DC47-EAFA-42D5-BCF5-C7039EE3D771", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:4.18:rc5:*:*:*:*:*:*", "matchCriteriaId": "DB2B91AF-ACE1-4F6F-B2D0-9D4B7D8D20CE", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:4.18:rc6:*:*:*:*:*:*", "matchCriteriaId": "30FBD992-DD41-441E-A6C7-D39DAC45DA34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:4.18:rc7:*:*:*:*:*:*", "matchCriteriaId": "10979D17-76B4-465F-A475-78680FBECEBD", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:4.18:rc8:*:*:*:*:*:*", "matchCriteriaId": "56BF1EDD-3351-4E3E-AD42-54AF093ADB89", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nuio: Fix use-after-free in uio_open\n\ncore-1\t\t\t\tcore-2\n-------------------------------------------------------\nuio_unregister_device\t\tuio_open\n\t\t\t\tidev = idr_find()\ndevice_unregister(&idev->dev)\nput_device(&idev->dev)\nuio_device_release\n\t\t\t\tget_device(&idev->dev)\nkfree(idev)\nuio_free_minor(minor)\n\t\t\t\tuio_release\n\t\t\t\tput_device(&idev->dev)\n\t\t\t\tkfree(idev)\n-------------------------------------------------------\n\nIn the core-1 uio_unregister_device(), the device_unregister will kfree\nidev when the idev->dev kobject ref is 1. But after core-1\ndevice_unregister, put_device and before doing kfree, the core-2 may\nget_device. Then:\n1. After core-1 kfree idev, the core-2 will do use-after-free for idev.\n2. When core-2 do uio_release and put_device, the idev will be double\n freed.\n\nTo address this issue, we can get idev atomic & inc idev reference with\nminor_lock."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: uio: corrige use-after-free en uio_open core-1 core-2 ------------------------------------------------------- uio_unregister_device uio_open idev = idr_find() device_unregister(&idev->dev) put_device(&idev->dev) uio_device_release get_device(&idev->dev) kfree(idev) uio_free_minor(minor) uio_release put_device(&idev->dev) kfree(idev) ------------------------------------------------------- In the core-1 uio_unregister_device(), the device_unregister se liberar\u00e1 idev cuando la referencia del objeto idev->dev kobject es 1. But after core-1 device_unregister, put_device and before doing kfree, the core-2 may get_device. Then: 1. After core-1 kfree idev, the core-2 will do use-after-free for idev. 2. When core-2 do uio_release and put_device, el idev se liberar\u00e1 dos veces. Para solucionar este problema, podemos obtener la referencia de idev atomic & inc idev con minor_lock."}], "id": "CVE-2023-52439", "lastModified": "2024-12-27T16:15:23.080", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-20T21:15:08.213", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/0c9ae0b8605078eafc3bea053cc78791e97ba2e2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/17a8519cb359c3b483fb5c7367efa9a8a508bdea"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3174e0f7de1ba392dc191625da83df02d695b60c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/35f102607054faafe78d2a6994b18d5d9d6e92ad"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5cf604ee538ed0c467abe3b4cda5308a6398f0f7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5e0be1229ae199ebb90b33102f74a0f22d152570"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/913205930da6213305616ac539447702eaa85e41"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e93da893d52d82d57fc0db2ca566024e0f26ff50"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/0c9ae0b8605078eafc3bea053cc78791e97ba2e2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/17a8519cb359c3b483fb5c7367efa9a8a508bdea"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3174e0f7de1ba392dc191625da83df02d695b60c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/35f102607054faafe78d2a6994b18d5d9d6e92ad"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5cf604ee538ed0c467abe3b4cda5308a6398f0f7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5e0be1229ae199ebb90b33102f74a0f22d152570"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/913205930da6213305616ac539447702eaa85e41"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e93da893d52d82d57fc0db2ca566024e0f26ff50"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20241227-0006/"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-415"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:3627", "cpe": "cpe:/a:redhat:enterprise_linux:8::nfv", "package": "kernel-rt-0:4.18.0-553.5.1.rt7.346.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-06-05T00:00:00Z"}, {"advisory": "RHSA-2024:3618", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "kernel-0:4.18.0-553.5.1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-06-05T00:00:00Z"}, {"advisory": "RHSA-2024:5281", "cpe": "cpe:/o:redhat:rhel_aus:8.6", "package": "kernel-0:4.18.0-372.118.1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2024-08-13T00:00:00Z"}, {"advisory": "RHSA-2024:5281", "cpe": "cpe:/o:redhat:rhel_tus:8.6", "package": "kernel-0:4.18.0-372.118.1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2024-08-13T00:00:00Z"}, {"advisory": "RHSA-2024:5281", "cpe": "cpe:/o:redhat:rhel_e4s:8.6", "package": "kernel-0:4.18.0-372.118.1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2024-08-13T00:00:00Z"}, {"advisory": "RHSA-2024:6993", "cpe": "cpe:/o:redhat:rhel_eus:8.8", "package": "kernel-0:4.18.0-477.74.1.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-09-24T00:00:00Z"}, {"advisory": "RHSA-2024:6997", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-427.37.1.el9_4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-09-24T00:00:00Z"}, {"advisory": "RHSA-2024:6997", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-427.37.1.el9_4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-09-24T00:00:00Z"}, {"advisory": "RHSA-2024:4823", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "kernel-0:5.14.0-284.75.1.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-07-24T00:00:00Z"}, {"advisory": "RHSA-2024:4831", "cpe": "cpe:/a:redhat:rhel_eus:9.2::nfv", "package": "kernel-rt-0:5.14.0-284.75.1.rt14.360.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-07-24T00:00:00Z"}], "bugzilla": {"description": "kernel: uio: Fix use-after-free in uio_open", "id": "2265271", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2265271"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-416", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nuio: Fix use-after-free in uio_open\ncore-1core-2\n-------------------------------------------------------\nuio_unregister_deviceuio_open\nidev = idr_find()\ndevice_unregister(&idev->dev)\nput_device(&idev->dev)\nuio_device_release\nget_device(&idev->dev)\nkfree(idev)\nuio_free_minor(minor)\nuio_release\nput_device(&idev->dev)\nkfree(idev)\n-------------------------------------------------------\nIn the core-1 uio_unregister_device(), the device_unregister will kfree\nidev when the idev->dev kobject ref is 1. But after core-1\ndevice_unregister, put_device and before doing kfree, the core-2 may\nget_device. Then:\n1. After core-1 kfree idev, the core-2 will do use-after-free for idev.\n2. When core-2 do uio_release and put_device, the idev will be double\nfreed.\nTo address this issue, we can get idev atomic & inc idev reference with\nminor_lock.", "A flaw was found in the Linux kernel\u2019s uio subsystem. A use-after-free memory flaw in the uio_open functionality allows a local user to crash or escalate their privileges on the system."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, prevent module uio from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically."}, "name": "CVE-2023-52439", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-02-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-52439\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-52439\nhttps://lore.kernel.org/linux-cve-announce/2024022026-wobbling-jumbo-748e@gregkh/T/#u"], "threat_severity": "Moderate"}

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object