#VU96362 Input validation error in Linux kernel - CVE-2023-52906


Vulnerability identifier: #VU96362

Vulnerability risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-52906

CWE-ID: CWE-20

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the valid_label() and NLA_POLICY_EXACT_LEN() functions in net/sched/act_mpls.c. A local user can perform a denial of service (DoS) attack.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Linux kernel: All versions

External links
https://git.kernel.org/stable/c/2b157c3c5d6b8ddca48d53c9e662032f65af8d61
https://git.kernel.org/stable/c/453277feb41c2235cf2c0de9209eef962c401457
https://git.kernel.org/stable/c/9e2c38827cdc6fdd3bb375c8607fc04d289756f9
https://git.kernel.org/stable/c/8a97b544b98e44f596219ebb290fd2ba2fd5d644
https://git.kernel.org/stable/c/9e17f99220d111ea031b44153fdfe364b0024ff2

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


SUSE update for the Linux Kernel
SUSE update for the Linux Kernel
SUSE update for the Linux Kernel
openEuler 22.03 LTS SP1 update for kernel
Input validation error in Linux kernel sched