CVE-2023-5345

CWE-416Use After Free20 documents8 sources
Severity
7.8HIGH
EPSS
0.0%
top 93.00%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Linux KernelLinux Linux KernelFedoraproject Fedora
Timeline
PublishedOct 3
Latest updateFeb 7

Description

A use-after-free vulnerability in the Linux kernel's fs/smb/client component can be exploited to achieve local privilege escalation. In case of an error in smb3_fs_context_parse_param, ctx->password was freed but the field was not set to NULL which could lead to double free. We recommend upgrading past commit e6e43b8aa7cd3c3af686caf0c2e11819a886d705.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages31 packages

CVEListV5linux/kernel0.06.6
NVDlinux/linux_kernel6.0.166.1.56+2
Debianlinux< 6.1.64-1+2
Ubuntulinux< 4.4.0-250.284+3
Ubuntulinux-aws< 4.4.0-1165.180+3

Also affects: Fedora 37, 38, 39

Patches

Patch: git.kernel.orgPatch: kernel.dancePatch: git.kernel.org

🔴Vulnerability Details

5
OSV
Kernel Live Patch Security Notice2024-02-07
OSV
linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15 vulnerabilities2024-01-25
CVEList
Use-after-free in Linux kernel's fs/smb/client component2023-10-03
GHSA
GHSA-g488-m495-9mgj: A use-after-free vulnerability in the Linux kernel's fs/smb/client component can be exploited to achieve local privilege escalation2023-10-03
OSV
CVE-2023-5345: A use-after-free vulnerability in the Linux kernel's fs/smb/client component can be exploited to achieve local privilege escalation2023-10-03

📋Vendor Advisories

14
Ubuntu
Kernel Live Patch Security Notice2024-02-07
Ubuntu
Linux kernel (Azure) vulnerabilities2024-01-25
Ubuntu
Linux kernel (Azure) vulnerabilities2024-01-09
Ubuntu
Linux kernel (GCP) vulnerabilities2023-12-06
Ubuntu
Linux kernel vulnerabilities2023-11-30