CVE-2023-6270 — Use After Free in Linux
Severity
7.8HIGHNVD
NVD7.0CNA7.0OSV7.0OSV6.5OSV5.5
EPSS
0.0%
top 93.79%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJan 4
Latest updateAug 14
Description
A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution.
CVSS vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.0 | Impact: 5.9
Affected Packages4 packages
▶CVEListV5linux/linuxad80c34944d7175fa1f5c7a55066020002921a99 — 12f7b89dd72b25da4eeaa22097877963cad6418e+21
Also affects: Debian Linux 10.0, Fedora 39
🔴Vulnerability Details
42GHSA▶
GHSA-g9fr-wfpx-28xj: In the Linux kernel, the following vulnerability has been resolved:
aoe: fix the potential use-after-free problem in more places
For fixing CVE-2023↗2024-10-21
OSV▶
CVE-2024-49982: In the Linux kernel, the following vulnerability has been resolved: aoe: fix the potential use-after-free problem in more places For fixing CVE-2023-6↗2024-10-21
📋Vendor Advisories
39💬Community
1Bugzilla▶
CVE-2023-6270 kernel: AoE: improper reference count leads to use-after-free vulnerability↗2024-01-04