Vulnerability Details : CVE-2023-34256
An issue was discovered in the Linux kernel before 6.3.3. There is an out-of-bounds read in crc16 in lib/crc16.c when called from fs/ext4/super.c because ext4_group_desc_csum does not properly check an offset. NOTE: this is disputed by third parties because the kernel is not intended to defend against attackers with the stated "When modifying the block device while it is mounted by the filesystem" access.
Exploit prediction scoring system (EPSS) score for CVE-2023-34256
Probability of exploitation activity in the next 30 days: 0.04%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 6 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2023-34256
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
5.5
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
1.8
|
3.6
|
NIST |
CWE ids for CVE-2023-34256
-
The product reads data past the end, or before the beginning, of the intended buffer.Assigned by: nvd@nist.gov (Primary)
References for CVE-2023-34256
-
https://bugzilla.suse.com/show_bug.cgi?id=1211895
1211895 – (CVE-2023-34256) VUL-0: CVE-2023-34256: DISPUTED: kernel: potential slab-out-of-bounds in ext4_group_desc_csumIssue Tracking;Patch;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2023/07/msg00030.html
[SECURITY] [DLA 3508-1] linux security updateMailing List;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html
[SECURITY] [DLA 3623-1] linux-5.10 security updateMailing List;Third Party Advisory
-
https://syzkaller.appspot.com/bug?extid=8785e41224a3afd04321
KASAN: slab-out-of-bounds Read in ext4_group_desc_csumMailing List;Patch
-
https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.3.3
Mailing List;Patch
-
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f04351888a83e595571de672e0a4a8b74f4fb31
kernel/git/torvalds/linux.git - Linux kernel source treeMailing List;Patch
Products affected by CVE-2023-34256
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:suse:linux_enterprise:15.0:sp4:*:*:*:*:*:*
- cpe:2.3:o:suse:linux_enterprise:15.0:sp5:*:*:*:*:*:*
- cpe:2.3:o:suse:linux_enterprise:12.0:sp5:*:*:*:*:*:*