SB2023110644 - Local denial of service in Linux kernel UDF filesystem
Published: November 6, 2023
Security Bulletin ID
SB2023110644
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Use-after-free (CVE-ID: CVE-2023-37454)
The vulnerability allows a local authenticated user to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error within the the udf_put_super and udf_close_lvid functions in fs/udf/super.c. A local authenticated user can trigger a use-after-free error and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.
References
- https://syzkaller.appspot.com/bug?extid=61564e5023b7229ec85d
- https://syzkaller.appspot.com/bug?extid=26873a72980f8fa8bc55
- https://lore.kernel.org/all/00000000000056e02f05dfb6e11a@google.com/T/
- https://syzkaller.appspot.com/bug?extid=60864ed35b1073540d57
- https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-37454