CVE-2023-4206

Updated: 2023-09-06

CWE: CWE-416 Use After Free

Description:

A use-after-free vulnerability in the Linux kernel's net/sched: cls_route component can be exploited to achieve local privilege escalation. When route4_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. We recommend upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8.

CVSS3: 7.8

Vendor State

OS	Vendor version	Errata
Ubuntu 16.04 AWS HWE ESM	4.15.0-1161.174~16.04.1	USN-6396-1
Ubuntu 16.04 Azure ESM	4.15.0-1170.185~16.04.1	USN-6396-1
Debian 12	6.1.52-1	DSA-5492-1
Oracle Linux 7	3.10.0-1160.105.1.0.1.el7	ELSA-2023-7423
Rocky Linux 9	5.14.0-362.8.1.el9_3	RLSA-2023:6583
Oracle Linux 9	5.14.0-362.8.1.el9_3	ELSA-2023-6583
Oracle Linux 8	4.18.0-513.5.1.el8_9	ELSA-2023-7077
Ubuntu 16.04 AWS ESM	4.4.0-1161.176	USN-6388-1
Ubuntu 16.04 HWE ESM	4.15.0-218.229~16.04.1	USN-6396-1
Debian 11	5.10.191-1	DSA-5480-1
Amazon Linux 2	4.14.322-244.536.amzn2	ALAS-2023-2268
AlmaLinux 9	5.14.0-362.8.1.el9_3	ALSA-2023:6583
RHEL 9	5.14.0-362.8.1.el9_3	RHSA-2023:6583
RHEL 7	3.10.0-1160.105.1.el7	RHSA-2023:7423
RHEL 8	4.18.0-513.5.1.el8_9	RHSA-2023:7077
AlmaLinux 8	4.18.0-513.5.1.el8_9	ALSA-2023:7077
Rocky Linux 8	4.18.0-513.5.1.el8_9	RLSA-2023:7077
Amazon Linux 2 5.10	5.10.192-182.736.amzn2	ALASKERNEL-5.10-2023-039
Amazon Linux 2 5.4	5.4.253-167.359.amzn2	ALASKERNEL-5.4-2023-054
Ubuntu 20.04 AWS	5.4.0-1110.119	USN-6387-1
Ubuntu 20.04	5.4.0-163.180	USN-6387-1
Ubuntu 22.04	5.15.0-84.93	USN-6386-1
Ubuntu 22.04 AWS	5.15.0-1045.50	USN-6386-1
Ubuntu 22.04 Azure	5.15.0-1047.54	USN-6386-1
Oracle Linux 6 UEK 4	4.1.12-124.79.2.el6uek	ELSA-2023-12842
Oracle Linux 7 UEK 4	4.1.12-124.79.2.el7uek	ELSA-2023-12842
Amazon Linux 1	4.14.322-170.535.amzn1	ALAS-2023-1827

KernelCare State

OS	Original kernel version	State
Ubuntu 16.04 AWS HWE ESM		Will Not Fix
Ubuntu 16.04 Azure ESM		Will Not Fix
Debian 12		Planned
Oracle Linux 7		Planned
Rocky Linux 9	5.14.0-162.12.1.el9_1.0.1 show all hide all 5.14.0-162.12.1.el9_1.0.2 5.14.0-162.18.1.el9_1 5.14.0-162.22.2.el9_1 5.14.0-162.23.1.el9_1 5.14.0-162.6.1.el9_1.0.1 5.14.0-162.6.1.el9_1 5.14.0-70.22.1.el9_0 5.14.0-70.26.1.el9_0 5.14.0-70.30.1.el9_0	Released
Oracle Linux 9	5.14.0-162.18.1.el9_1 show all hide all 5.14.0-162.22.2.el9_1 5.14.0-162.23.1.el9_1 5.14.0-70.26.1.0.1.el9_0 5.14.0-162.12.1.el9_1 5.14.0-162.6.1.el9_1 5.14.0-284.11.1.el9_2 5.14.0-284.18.1.el9_2 5.14.0-284.25.1.el9_2 5.14.0-70.13.1.0.3.el9_0 5.14.0-70.17.1.0.1.el9_0 5.14.0-70.22.1.0.1.el9_0	Released
Oracle Linux 8		Planned
Ubuntu 16.04 AWS ESM		Will Not Fix
Ubuntu 16.04 HWE ESM		Will Not Fix
Debian 11		Will Not Fix
Amazon Linux 2		Ready For Release
AlmaLinux 9	5.14.0-162.12.1.el9_1 show all hide all 5.14.0-162.18.1.el9_1 5.14.0-162.22.2.el9_1 5.14.0-162.23.1.el9_1 5.14.0-162.6.1.el9_1 5.14.0-284.11.1.el9_2 5.14.0-284.18.1.el9_2 5.14.0-284.25.1.el9_2 5.14.0-70.13.1.el9_0 5.14.0-70.17.1.el9_0 5.14.0-70.22.1.el9_0 5.14.0-70.26.1.el9_0 5.14.0-70.30.1.el9_0	Released
RHEL 9	5.14.0-70.30.1.el9_0 show all hide all 5.14.0-70.5.1.el9_0 5.14.0-162.12.1.el9_1 5.14.0-162.18.1.el9_1 5.14.0-162.22.2.el9_1 5.14.0-162.23.1.el9_1 5.14.0-162.6.1.el9_1 5.14.0-284.11.1.el9_2 5.14.0-284.18.1.el9_2 5.14.0-284.25.1.el9_2 5.14.0-284.30.1.el9_2 5.14.0-70.13.1.el9_0 5.14.0-70.17.1.el9_0 5.14.0-70.22.1.el9_0 5.14.0-70.26.1.el9_0	Released
RHEL 7		In Progress
RHEL 8		In Progress
AlmaLinux 8		Planned
Rocky Linux 8		Planned
Amazon Linux 2 5.10		Planned
Amazon Linux 2 5.4		Planned
Ubuntu 20.04 AWS		Will Not Fix
Ubuntu 20.04		Will Not Fix
Ubuntu 22.04		Will Not Fix
Ubuntu 22.04 AWS		Will Not Fix
Ubuntu 22.04 Azure		Will Not Fix
Oracle Linux 6 UEK 4		Planned
Oracle Linux 7 UEK 4		Planned
Amazon Linux 1		Will Not Fix