Use-After-Free Vulnerability in Ubuntu's AccountsService
CVE-2023-3297

8.1HIGH

Key Information:

Vendor
Canonical Ltd.
Status
Accountservice
Vendor
CVE Published:
1 September 2023

Summary

A use-after-free vulnerability exists in the accountsservice of Ubuntu that can be exploited by an unprivileged local attacker. By sending specially crafted D-Bus messages to the accounts-daemon process, an attacker can manipulate memory operations, potentially leading to unexpected behavior or crashes. Users and administrators are advised to apply any available patches to mitigate the risk associated with this vulnerability.

Affected Version(s)

AccountService Linux 23.13.9-2ubuntu2

References

https://ubuntu.com/security/notices/USN-6190-1
vendor-advisory
https://securitylab.github.com/advisories/GHSL-2023-139_a...
third-party-advisorytechnical-description
https://bugs.launchpad.net/ubuntu/+source/accountsservice...
issue-tracking

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Kevin Backhouse
.