Vulnerabilities > CVE-2023-6270 - Use After Free vulnerability in multiple products

CVSS 7.0 - HIGH

Attack vector

LOCAL

Attack complexity

HIGH

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

local

high complexity

linux

fedoraproject

CWE-416

NVD

Published: 2024-01-04

Updated: 2024-11-21

Summary

A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution.

Vulnerable Configurations

Part	Description	Count
OS	Linux Linux Linux Kernel -	1
OS	Fedoraproject Fedoraproject Fedora 39	1

Common Weakness Enumeration (CWE)

CWE-416 - Use After Free

References

https://access.redhat.com/security/cve/CVE-2023-6270
https://access.redhat.com/security/cve/CVE-2023-6270
https://bugzilla.redhat.com/show_bug.cgi?id=2256786
https://bugzilla.redhat.com/show_bug.cgi?id=2256786
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html