CVE-2023-2007Time-of-check Time-of-use (TOCTOU) Race Condition in Kernel

CWE-367Time-of-check Time-of-use (TOCTOU) Race ConditionCWE-667Improper Locking6 documents6 sources
Severity
7.8HIGHNVD
EPSS
0.0%
top 92.30%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Linux KernelDebian LinuxDebian Linux+1 more
Timeline
PublishedApr 24
Latest updateApr 25

Description

The specific flaw exists within the DPT I2O Controller driver. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the kernel.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages4 packages

Debianlinux/linux_kernel< 5.10.191-1+3
debiandebian/linux< linux 6.0.2-1 (bookworm)

Also affects: Debian Linux 10.0, 11.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

2
GHSA
GHSA-q945-mj3h-45f2: The specific flaw exists within the DPT I2O Controller driver2023-04-25
OSV
CVE-2023-2007: The specific flaw exists within the DPT I2O Controller driver2023-04-24

📋Vendor Advisories

3
Red Hat
kernel: DPT I2O controller TOCTOU information disclosure vulnerability2023-04-13
Microsoft
The specific flaw exists within the DPT I2O Controller driver. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this in conjunction w2023-04-11
Debian
CVE-2023-2007: linux - The specific flaw exists within the DPT I2O Controller driver. The issue results...2023
CVE-2023-2007 — Linux Kernel vulnerability | cvebase