Vulnerability Details : CVE-2023-7152
A vulnerability, which was classified as critical, has been found in MicroPython 1.21.0/1.22.0-preview. Affected by this issue is the function poll_set_add_fd of the file extmod/modselect.c. The manipulation leads to use after free. The exploit has been disclosed to the public and may be used. The patch is identified as 8b24aa36ba978eafc6114b6798b47b7bfecdca26. It is recommended to apply a patch to fix this issue. VDB-249158 is the identifier assigned to this vulnerability.
Vulnerability category: Memory Corruption
Products affected by CVE-2023-7152
- cpe:2.3:a:micropython:micropython:1.21.0:*:*:*:*:*:*:*
- cpe:2.3:a:micropython:micropython:1.22.0:preview:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-7152
0.49%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 76 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-7152
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.2
|
MEDIUM | AV:A/AC:L/Au:S/C:P/I:P/A:P |
5.1
|
6.4
|
VulDB | |
5.5
|
MEDIUM | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
2.1
|
3.4
|
VulDB | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | 2024-01-05 |
CWE ids for CVE-2023-7152
-
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.Assigned by: cna@vuldb.com (Primary)
References for CVE-2023-7152
-
https://vuldb.com/?id.249158
CVE-2023-7152: MicroPython modselect.c poll_set_add_fd use after freeThird Party Advisory;VDB Entry
-
https://github.com/jimmo/micropython/commit/8b24aa36ba978eafc6114b6798b47b7bfecdca26
extmod/modselect: Handle growing the pollfds allocation correctly. · jimmo/micropython@8b24aa3 · GitHubPatch
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEK46QAJOXXDZOWOIE2YACUOCZFWOBCK/
[SECURITY] Fedora 38 Update: micropython-1.22.2-1.fc38 - package-announce - Fedora Mailing-Lists
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4E2HYWCZB5R4SHY4SZZZSFDMD64N4SOZ/
[SECURITY] Fedora 39 Update: micropython-1.22.2-1.fc39 - package-announce - Fedora Mailing-Lists
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D3WWY5JY4RTJE25APB4REGDUDPATG6H7/
[SECURITY] Fedora 40 Update: micropython-1.22.2-1.fc40 - package-announce - Fedora Mailing-Lists
-
https://vuldb.com/?ctiid.249158
CVE-2023-7152: MicroPython modselect.c poll_set_add_fd use after freePermissions Required;Third Party Advisory;VDB Entry
-
https://github.com/micropython/micropython/issues/12887
Use After Free at modselect.c:151 · Issue #12887 · micropython/micropython · GitHubExploit;Issue Tracking
Jump to