Out-of-bounds write in Linux kernel's Linux Kernel Performance Events (perf) component

CVE-2023-5717

7.8HIGH

Key Information

Vendor: Linux
Status: Kernel
Vendor: CVE Published:; 25 October 2023

Badges

👾 Exploit Exists

Summary

A heap out-of-bounds write vulnerability in the Linux kernel's Linux Kernel Performance Events (perf) component can be exploited to achieve local privilege escalation. If perf_read_group() is called while an event's sibling_list is smaller than its child's sibling_list, it can increment or write to memory locations outside of the allocated buffer. We recommend upgrading past commit 32671e3799ca2e4590773fd0e63aaa4229e50c06.

Affected Version(s)

Kernel < 6.6

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

👾
Exploit exists.
Jan 23, 2024
Vulnerability published.
Oct 25, 2023
Vulnerability Reserved.
Oct 23, 2023

Collectors

NVD DatabaseMitre Database0 Proof of Concept(s)

Credit

Budimir Markovic