CVE-2023-1872 HIGH

CVE-2023-1872: Use-after-free in Linux kernel's io_uring subsystem

Vendor Linux

Product Linux Kernel

Weakness CWE-416

Published April 12, 2023

Last update February 13, 2025

View on NVD All CVEs

CVSS base score

7.8/10

Attack vector Local

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A use-after-free vulnerability in the Linux Kernel io_uring system can be exploited to achieve local privilege escalation. The io_file_get_fixed function lacks the presence of ctx->uring_lock which can lead to a Use-After-Free vulnerability due a race condition with fixed files getting unregistered. We recommend upgrading past commit da24142b1ef9fd5d36b76e36bab328a5b27523e8.

Key dates

02Disclosure timeline

April 12, 2023 CVE published

February 13, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-1872 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/416.html

Related vulnerabilities

CVE-2023-1872: Use-after-free in Linux kernel's io_uring subsystem

01Description

02Disclosure timeline

03References

04Related CVE