CVE-2023-1079Use After Free in Kernel

CWE-416Use After Free26 documents7 sources
Severity
6.8MEDIUMNVD
OSV5.5
EPSS
0.0%
top 94.64%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
8
Linux KernelDebian LinuxMsrc Cbl2 Kernel 5.15.102.1-3 ON CBL Mariner 2.0+5 more
Timeline
PublishedMar 27
Latest updateJan 29

Description

A flaw was found in the Linux kernel. A use-after-free may be triggered in asus_kbd_backlight_set when plugging/disconnecting in a malicious USB device, which advertises itself as an Asus device. Similarly to the previous known CVE-2023-25012, but in asus devices, the work_struct may be scheduled by the LED controller while the device is disconnecting, triggering a use-after-free on the struct asus_kbd_leds *led structure. A malicious USB device may exploit the issue to cause memory corruption w

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 0.9 | Impact: 5.9

Affected Packages11 packages

Debianlinux/linux_kernel< 5.10.178-1+3
Ubuntulinux/linux_kernel< 5.4.0-152.169+2
CVEListV5linux/linux_kernelunknown
debiandebian/linux< linux 6.1.20-1 (bookworm)

Patches

Patch: git.kernel.orgPatch: git.kernel.org

🔴Vulnerability Details

12
OSV
linux-azure, linux-azure-4.15 vulnerabilities2024-01-29
OSV
linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle vulnerabilities2024-01-25
OSV
linux-iot vulnerabilities2023-07-27
OSV
linux-xilinx-zynqmp vulnerabilities2023-07-12
OSV
linux-azure-fde vulnerabilities2023-07-12

📋Vendor Advisories

13
Ubuntu
Linux kernel (Azure) vulnerabilities2024-01-29
Ubuntu
Linux kernel vulnerabilities2024-01-25
Ubuntu
Linux kernel (IoT) vulnerabilities2023-07-27
Ubuntu
Linux kernel (Azure CVM) vulnerabilities2023-07-12
Ubuntu
Linux kernel (Xilinx ZynqMP) vulnerabilities2023-07-12