#VU93856 Use of obsolete function in Linux kernel - CVE-2023-52656

Vulnerability identifier: #VU93856

Vulnerability risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-52656

CWE-ID: CWE-477

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a local user to have negative impact on system performance.

The vulnerability exists due to usage of dead code related to SCM_RIGHTS within the io_allocate_scq_urings(), io_ring_ctx_free(), and io_cqring_wait() function in fs/io_uring.c. A local user can influence system performance.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Linux kernel: All versions

---

External links
https://git.kernel.org/stable/c/cfb24022bb2c31f1f555dc6bc3cc5e2547446fb3
https://git.kernel.org/stable/c/a6771f343af90a25f3a14911634562bb5621df02
https://git.kernel.org/stable/c/d909d381c3152393421403be4b6435f17a2378b4
https://git.kernel.org/stable/c/a3812a47a32022ca76bf46ddacdd823dc2aabf8b
https://git.kernel.org/stable/c/88c49d9c896143cdc0f77197c4dcf24140375e89
https://git.kernel.org/stable/c/6e5e6d274956305f1fc0340522b38f5f5be74bdb
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html

---

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.