CVE-2023-52973

CVE-2023-52973 is a use-after-free (UAF) vulnerability in the Linux kernel's vc_screen subsystem, located in the vcs_read() function of drivers/tty/vt/vc_screen.c. The flaw occurs because the struct vc_data pointer is loaded after a console_unlock() call, allowing vc_deallocate() to free the structure before it is accessed in vcs_size(), resulting in a UAF. This issue was detected by the Syzkaller fuzzer, with KASAN reporting a read of size 4 at a freed address during vcs_size() execution.

A local attacker with low privileges (AV:L/AC:L/PR:L/UI:N) can exploit this vulnerability, as indicated by its CVSS v3.1 base score of 7.8 (C:H/I:H/A:H/S:U). Exploitation involves triggering vcs_read() on a virtual console device, such as through reads after console operations that lead to deallocation, potentially enabling arbitrary code execution, data corruption, or denial of service via the UAF.

Kernel stable patches address the issue by moving the load of the struct vc_data pointer to the top of the while loop in vcs_read() to ensure it occurs before console_unlock(). Affected users should apply commits such as 226fae124b2dac217ea5436060d623ff3385bc34, 55515d7d8743b71b80bfe68e89eb9d92630626ab, 6332f52f44b9776568bf3c0b714ddfb0bb175e78, 8506f16aae9daf354e3732bcfd447e2a97f023df, and af79ea9a2443016f64d8fd8d72020cc874f0e066 from the kernel stable repository.