CVE-2023-52436 - OpenCVE

In the Linux kernel, the following vulnerability has been resolved: f2fs: explicitly null-terminate the xattr list When setting an xattr, explicitly null-terminate the xattr list. This eliminates the fragile assumption that the unused xattr space is always zeroed.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Linux	Linux Kernel

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

References

Link	Resource
https://git.kernel.org/stable/c/12cf91e23b126718a96b914f949f2cdfeadc7b2a	Patch
https://git.kernel.org/stable/c/16ae3132ff7746894894927c1892493693b89135	Patch
https://git.kernel.org/stable/c/2525d1ba225b5c167162fa344013c408e8b4de36	Patch
https://git.kernel.org/stable/c/32a6cfc67675ee96fe107aeed5af9776fec63f11	Patch
https://git.kernel.org/stable/c/3e47740091b05ac8d7836a33afd8646b6863ca52	Patch
https://git.kernel.org/stable/c/5de9e9dd1828db9b8b962f7ca42548bd596deb8a	Patch
https://git.kernel.org/stable/c/e26b6d39270f5eab0087453d9b544189a38c8564	Patch
https://git.kernel.org/stable/c/f6c30bfe5a49bc38cae985083a11016800708fea	Patch
https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Linux

Published: 2024-02-20T18:34:47.387Z

Updated: 2024-05-28T19:49:20.982Z

Reserved: 2024-02-20T12:30:33.290Z

Link: CVE-2023-52436

JSON object: View

NVD Information

Status : Modified

Published: 2024-02-20T21:15:08.060

Modified: 2024-06-27T12:15:14.000

Link: CVE-2023-52436

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-Other

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2023-52436", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-02-20T12:30:33.290Z", "datePublished": "2024-02-20T18:34:47.387Z", "dateUpdated": "2024-05-28T19:49:20.982Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-05-28T19:49:20.982Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: explicitly null-terminate the xattr list\n\nWhen setting an xattr, explicitly null-terminate the xattr list. This\neliminates the fragile assumption that the unused xattr space is always\nzeroed."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/f2fs/xattr.c"], "versions": [{"version": "1da177e4c3f4", "lessThan": "16ae3132ff77", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "12cf91e23b12", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "3e47740091b0", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "32a6cfc67675", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "5de9e9dd1828", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "2525d1ba225b", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "f6c30bfe5a49", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "e26b6d39270f", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/f2fs/xattr.c"], "versions": [{"version": "4.19.306", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "custom"}, {"version": "5.4.268", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "custom"}, {"version": "5.10.209", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "custom"}, {"version": "5.15.148", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.1.74", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.6.13", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.7.1", "lessThanOrEqual": "6.7.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.8", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/16ae3132ff7746894894927c1892493693b89135"}, {"url": "https://git.kernel.org/stable/c/12cf91e23b126718a96b914f949f2cdfeadc7b2a"}, {"url": "https://git.kernel.org/stable/c/3e47740091b05ac8d7836a33afd8646b6863ca52"}, {"url": "https://git.kernel.org/stable/c/32a6cfc67675ee96fe107aeed5af9776fec63f11"}, {"url": "https://git.kernel.org/stable/c/5de9e9dd1828db9b8b962f7ca42548bd596deb8a"}, {"url": "https://git.kernel.org/stable/c/2525d1ba225b5c167162fa344013c408e8b4de36"}, {"url": "https://git.kernel.org/stable/c/f6c30bfe5a49bc38cae985083a11016800708fea"}, {"url": "https://git.kernel.org/stable/c/e26b6d39270f5eab0087453d9b544189a38c8564"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"}], "title": "f2fs: explicitly null-terminate the xattr list", "x_generator": {"engine": "bippy-a5840b7849dd"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-52436", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-21T20:39:15.806517Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:23:01.871Z"}}]}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "0A7AEFD0-0681-4E8D-9074-27416D3EE94C", "versionEndExcluding": "4.19.306", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "35ADF607-EDCA-45AB-8FB6-9F2D40D47C0C", "versionEndExcluding": "5.4.268", "versionStartIncluding": "4.20.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "5D2E4F24-2FBB-4434-8598-2B1499E566B5", "versionEndExcluding": "5.10.209", "versionStartIncluding": "5.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E25E1389-4B0F-407A-9C94-5908FF3EE88B", "versionEndExcluding": "5.15.148", "versionStartIncluding": "5.11.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "F7DD9841-CE11-470D-A285-A2E8E0F6640D", "versionEndExcluding": "6.1.74", "versionStartIncluding": "5.16.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "74A1FFC7-19FA-450E-BC2D-2BBD2EBF0A5F", "versionEndExcluding": "6.6.13", "versionStartIncluding": "6.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "664EB721-F519-48BB-B1C8-897D5990CD78", "versionEndExcluding": "6.7.1", "versionStartIncluding": "6.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: explicitly null-terminate the xattr list\n\nWhen setting an xattr, explicitly null-terminate the xattr list. This\neliminates the fragile assumption that the unused xattr space is always\nzeroed."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: f2fs: termina expl\u00edcitamente en nulo la lista xattr Al configurar un xattr, termina expl\u00edcitamente en nulo la lista xattr. Esto elimina la fr\u00e1gil suposici\u00f3n de que el espacio xattr no utilizado siempre se pone a cero."}], "id": "CVE-2023-52436", "lastModified": "2024-06-27T12:15:14.000", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-20T21:15:08.060", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/12cf91e23b126718a96b914f949f2cdfeadc7b2a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/16ae3132ff7746894894927c1892493693b89135"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2525d1ba225b5c167162fa344013c408e8b4de36"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/32a6cfc67675ee96fe107aeed5af9776fec63f11"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3e47740091b05ac8d7836a33afd8646b6863ca52"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5de9e9dd1828db9b8b962f7ca42548bd596deb8a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e26b6d39270f5eab0087453d9b544189a38c8564"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f6c30bfe5a49bc38cae985083a11016800708fea"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}