#VU89393 Use of uninitialized resource in Linux kernel - CVE-2023-52477

Vulnerability identifier: #VU89393

Vulnerability risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-52477

CWE-ID: CWE-908

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to usage of uninitialized BOS descriptors in drivers/usb/core/hub.c. A local user can perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Linux kernel: All versions

---

External links
https://git.kernel.org/stable/c/c64e4dca9aefd232b17ac4c779b608b286654e81
https://git.kernel.org/stable/c/8e7346bfea56453e31b7421c1c17ca2fb9ed613d
https://git.kernel.org/stable/c/6ad3e9fd3632106696692232bf7ff88b9f7e1bc3
https://git.kernel.org/stable/c/241f230324337ed5eae3846a554fb6d15169872c
https://git.kernel.org/stable/c/528f0ba9f7a4bc1b61c9b6eb591ff97ca37cac6b
https://git.kernel.org/stable/c/fb9895ab9533534335fa83d70344b397ac862c81
https://git.kernel.org/stable/c/136f69a04e71ba3458d137aec3bb2ce1232c0289
https://git.kernel.org/stable/c/f74a7afc224acd5e922c7a2e52244d891bbe44ee

---

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.