CVE-2023-1513 : A flaw was found in KVM. When calling the KVM_GET

A flaw was found in KVM. When calling the KVM_GET_DEBUGREGS ioctl, on 32-bit systems, there might be some uninitialized portions of the kvm_debugregs structure that could be copied to userspace, causing an information leak.

Published 2023-03-23 21:15:19

Updated 2025-02-25 20:15:32

Source Red Hat, Inc.

View at NVD, CVE.org

Products affected by CVE-2023-1513

Redhat » Enterprise Linux » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux » Version: 8.0
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux » Version: 9.0
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions before (<) 6.2
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 37
cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-1513

EPSS FAQ

0.01%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 1 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-1513

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
3.3	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	1.8	1.4	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-02-25
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None
3.3	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	1.8	1.4	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None

CWE ids for CVE-2023-1513

CWE-665 Improper Initialization

The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.
Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Primary)
- nvd@nist.gov (Secondary)
- secalert@redhat.com (Primary)

References for CVE-2023-1513

https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html

[SECURITY] [DLA 3403-1] linux security update

CVEs referencing this url
https://lore.kernel.org/kvm/20230214103304.3689213-1-gregkh%40linuxfoundation.org/

[PATCH] kvm: initialize all of the kvm_debugregs structure before sending it to userspace - Greg Kroah-Hartman
https://github.com/torvalds/linux/commit/2c10b61421a28e95a46ab489fd56c0f442ff6952

kvm: initialize all of the kvm_debugregs structure before sending it … · torvalds/linux@2c10b61 · GitHub
Patch
https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html

[SECURITY] [DLA 3404-1] linux-5.10 security update

CVEs referencing this url
https://bugzilla.redhat.com/show_bug.cgi?id=2179892

2179892 – (CVE-2023-1513) CVE-2023-1513 kernel: KVM: information leak in KVM_GET_DEBUGREGS ioctl on 32-bit systems
Issue Tracking;Patch;Third Party Advisory
https://lore.kernel.org/kvm/20230214103304.3689213-1-gregkh@linuxfoundation.org/

[PATCH] kvm: initialize all of the kvm_debugregs structure before sending it to userspace - Greg Kroah-Hartman
Patch;Vendor Advisory

Jump to

Vulnerability Details : CVE-2023-1513

Products affected by CVE-2023-1513

Exploit prediction scoring system (EPSS) score for CVE-2023-1513

CVSS scores for CVE-2023-1513

CWE ids for CVE-2023-1513

References for CVE-2023-1513