CVE-2023-52926
Published: 24 February 2025
Description
In the Linux kernel, the following vulnerability has been resolved: IORING_OP_READ did not correctly consume the provided buffer list when read i/o returned < 0 (except for -EAGAIN and -EIOCBQUEUED return). This can lead to a potential use-after-free when the completion via io_rw_done runs at separate context.
Security Summary
CVE-2023-52926 is a use-after-free vulnerability (CWE-416) in the Linux kernel's io_uring subsystem, specifically affecting the IORING_OP_READ operation. The issue arises because IORING_OP_READ does not correctly consume the provided buffer list when a read I/O returns a negative error code (except for -EAGAIN and -EIOCBQUEUED). This mishandling can lead to a use-after-free condition when the I/O completion is processed via io_rw_done in a separate context. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of user interaction requirements. Successful exploitation could result in high-impact confidentiality, integrity, and availability violations, potentially allowing arbitrary code execution, data corruption, or denial of service within the kernel context.
Mitigation involves applying the relevant upstream patches, as documented in kernel stable commit references such as 6c27fc6a783c8a77c756dd5461b15e465020d075, 72060434a14caea20925e492310d6e680e3f9007, and a08d195b586a217d76b42062f88f375a3eedda4d. Debian LTS users are advised to update affected systems per the announcement at lists.debian.org/debian-lts-announce/2025/03/msg00001.html, which details backported fixes for stable branches.
Details
- CWE(s)