CVE-2023-39191Improper Input Validation in Kernel

CWE-20Improper Input Validation9 documents9 sources
Severity
8.2HIGHNVD
EPSS
0.0%
top 96.65%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Linux KernelFedoraproject FedoraRedhat Enterprise Linux
Timeline
PublishedOct 4
Latest updateJan 8

Description

An improper input validation flaw was found in the eBPF subsystem in the Linux kernel. The issue occurs due to a lack of proper validation of dynamic pointers within user-supplied eBPF programs prior to executing them. This may allow an attacker with CAP_BPF privileges to escalate privileges and execute arbitrary code in the context of the kernel.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:HExploitability: 1.5 | Impact: 6.0

Affected Packages2 packages

NVDlinux/linux_kernel5.196.3
Debianlinux/linux_kernel< 6.3.7-1+1

Also affects: Enterprise Linux 9.0, Fedora 38

Patches

Patch: bugzilla.redhat.comPatch: www.zerodayinitiative.comPatch: bugzilla.redhat.com

🔴Vulnerability Details

3
OSV
CVE-2023-39191: An improper input validation flaw was found in the eBPF subsystem in the Linux kernel2023-10-04
GHSA
GHSA-gxg7-pxwf-9r28: An improper input validation flaw was found in the eBPF subsystem in the Linux kernel2023-10-04
CVEList
Kernel: ebpf: insufficient stack type checks in dynptr2023-10-04

📋Vendor Advisories

4
Chrome
Stable Channel Update for ChromeOS / ChromeOS Flex: CVE-2023-65112024-01-08
Microsoft
Kernel: ebpf: insufficient stack type checks in dynptr2023-10-10
Red Hat
kernel: eBPF: insufficient stack type checks in dynptr2023-09-29
Debian
CVE-2023-39191: linux - An improper input validation flaw was found in the eBPF subsystem in the Linux k...2023

💬Community

1
Bugzilla
CVE-2023-39191 kernel: eBPF: insufficient stack type checks in dynptr2023-07-26
CVE-2023-39191 — Improper Input Validation in Kernel | cvebase