#VU90660 NULL pointer dereference in Linux kernel - CVE-2023-52463

Vulnerability identifier: #VU90660

Vulnerability risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-52463

CWE-ID: CWE-476

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the efivarfs_get_tree() function in fs/efivarfs/super.c. A local user can perform a denial of service (DoS) attack.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Linux kernel: All versions

---

External links
https://git.kernel.org/stable/c/94c742324ed7e42c5bd6a9ed22e4ec6d764db4d8
https://git.kernel.org/stable/c/2aa141f8bc580f8f9811dfe4e0e6009812b73826
https://git.kernel.org/stable/c/d4a9aa7db574a0da64307729cc031fb68597aa8b
https://git.kernel.org/stable/c/0049fe7e4a85849bdd778cdb72e51a791ff3d737
https://git.kernel.org/stable/c/d4a714873db0866cc471521114eeac4a5072d548
https://git.kernel.org/stable/c/0e8d2444168dd519fea501599d150e62718ed2fe

---

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.