Vulnerability Details : CVE-2023-6546
A race condition was found in the GSM 0710 tty multiplexor in the Linux kernel. This issue occurs when two threads execute the GSMIOC_SETCONF ioctl on the same tty file descriptor with the gsm line discipline enabled, and can lead to a use-after-free problem on a struct gsm_dlci while restarting the gsm mux. This could allow a local unprivileged user to escalate their privileges on the system.
Vulnerability category: Memory Corruption
Products affected by CVE-2023-6546
- cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.5:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.5:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.5:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.5:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.5:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.5:rc6:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-6546
0.13%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 48 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-6546
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.0
|
HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.0
|
5.9
|
NIST | 2024-01-03 |
|
7.0
|
HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.0
|
5.9
|
Red Hat, Inc. | 2024-02-21 |
|
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
Red Hat, Inc. | |
|
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
N/A
|
N/A
|
RedHat-CVE-2023-6546 |
CWE ids for CVE-2023-6546
-
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.Assigned by: nvd@nist.gov (Primary)
-
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.Assigned by: secalert@redhat.com (Secondary)
References for CVE-2023-6546
-
http://www.openwall.com/lists/oss-security/2024/04/12/1
oss-security - Re: New Linux LPE via GSMIOC_SETCONF_DLCI?
-
http://www.openwall.com/lists/oss-security/2024/04/11/7
oss-security - Re: New Linux LPE via GSMIOC_SETCONF_DLCI?
-
https://access.redhat.com/errata/RHSA-2024:1055
RHSA-2024:1055 - Security Advisory - Red Hat Customer Portal
-
https://www.zerodayinitiative.com/advisories/ZDI-CAN-20527
ZDI-24-020 | Zero Day Initiative
-
https://github.com/torvalds/linux/commit/3c4f8333b582487a2d1e02171f1465531cde53e3
tty: n_gsm: fix the UAF caused by race condition in gsm_cleanup_mux · torvalds/linux@3c4f833 · GitHubPatch
-
https://access.redhat.com/errata/RHSA-2024:1612
RHSA-2024:1612 - Security Advisory - Red Hat Customer Portal
-
http://www.openwall.com/lists/oss-security/2024/04/11/9
oss-security - Re: New Linux LPE via GSMIOC_SETCONF_DLCI?
-
https://access.redhat.com/errata/RHSA-2024:1250
RHSA-2024:1250 - Security Advisory - Red Hat Customer Portal
-
https://access.redhat.com/errata/RHSA-2024:1019
RHSA-2024:1019 - Security Advisory - Red Hat Customer Portal
-
http://www.openwall.com/lists/oss-security/2024/04/10/18
oss-security - New Linux LPE via GSMIOC_SETCONF_DLCI?
-
https://access.redhat.com/security/cve/CVE-2023-6546
CVE-2023-6546- Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2024:4577
RHSA-2024:4577 - Security Advisory - Red Hat Customer Portal
-
https://access.redhat.com/errata/RHSA-2024:1018
RHSA-2024:1018 - Security Advisory - Red Hat Customer Portal
-
https://access.redhat.com/errata/RHSA-2024:4970
RHSA-2024:4970 - Security Advisory - Red Hat Customer Portal
-
http://www.openwall.com/lists/oss-security/2024/04/10/21
oss-security - Re: New Linux LPE via GSMIOC_SETCONF_DLCI?
-
http://www.openwall.com/lists/oss-security/2024/04/16/2
oss-security - Re: New Linux LPE via GSMIOC_SETCONF_DLCI?
-
http://www.openwall.com/lists/oss-security/2024/04/12/2
oss-security - Re: New Linux LPE via GSMIOC_SETCONF_DLCI?
-
https://access.redhat.com/errata/RHSA-2024:0937
RHSA-2024:0937 - Security Advisory - Red Hat Customer Portal
-
https://access.redhat.com/errata/RHSA-2024:1614
RHSA-2024:1614 - Security Advisory - Red Hat Customer Portal
-
http://www.openwall.com/lists/oss-security/2024/04/17/1
oss-security - Re: New Linux LPE via GSMIOC_SETCONF_DLCI?
-
https://access.redhat.com/errata/RHSA-2024:4729
RHSA-2024:4729 - Security Advisory - Red Hat Customer Portal
-
https://access.redhat.com/errata/RHSA-2024:1607
RHSA-2024:1607 - Security Advisory - Red Hat Customer Portal
-
https://access.redhat.com/errata/RHSA-2024:4731
RHSA-2024:4731 - Security Advisory - Red Hat Customer Portal
-
https://access.redhat.com/errata/RHSA-2024:2394
RHSA-2024:2394 - Security Advisory - Red Hat Customer Portal
-
https://bugzilla.redhat.com/show_bug.cgi?id=2255498
2255498 – (CVE-2023-6546, ZDI-CAN-20527) CVE-2023-6546 kernel: GSM multiplexing race condition leads to privilege escalationIssue Tracking;Patch;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2024:2621
RHSA-2024:2621 - Security Advisory - Red Hat Customer Portal
-
https://access.redhat.com/errata/RHSA-2024:1306
RHSA-2024:1306 - Security Advisory - Red Hat Customer Portal
-
https://access.redhat.com/errata/RHSA-2024:0930
RHSA-2024:0930 - Security Advisory - Red Hat カスタマーポータル
-
https://access.redhat.com/errata/RHSA-2024:1253
RHSA-2024:1253 - Security Advisory - Red Hat Customer Portal
-
https://access.redhat.com/errata/RHSA-2024:2697
RHSA-2024:2697 - Security Advisory - Red Hat 客户门户网站
-
https://access.redhat.com/errata/RHSA-2024:2093
RHSA-2024:2093 - Security Advisory - Red Hat Customer Portal
Jump to