Use-after-free in Linux kernel's ipv4: igmp component
CVE-2023-6932

7.8HIGH

Key Information:

Vendor: Linux
Status: Kernel
Vendor: CVE Published:; 19 December 2023

What is CVE-2023-6932?

A use-after-free vulnerability has been identified in the IGMP component of the Linux kernel, which could be exploited for local privilege escalation. This flaw allows attackers to trigger a race condition that results in a timer being erroneously registered on an RCU read locked object that is subsequently freed by another thread, potentially leading to unauthorized access or control of the affected system. It is highly recommended to update to versions past commit e2b706c691905fe78468c361aaabc719d0a496f1 to mitigate this risk.

Affected Version(s)

Kernel 2.6.12 < 6.7

References

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/...

patch

https://kernel.dance/e2b706c691905fe78468c361aaabc719d0a4...

https://lists.debian.org/debian-lts-announce/2024/01/msg0...

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 19, 2023
Vulnerability Reserved
Dec 18, 2023

CVE-2023-6932 Data

JSON