CVE-2023-21400

NameCVE-2023-21400
DescriptionIn multiple functions of io_uring.c, there is a possible kernel memory corruption due to improper locking. This could lead to local escalation of privilege in the kernel with System execution privileges needed. User interaction is not needed for exploitation.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3623-1, DSA-5480-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
linux (PTS)buster4.19.249-2fixed
buster (security)4.19.304-1fixed
bullseye5.10.209-2fixed
bullseye (security)5.10.205-2fixed
bookworm6.1.76-1fixed
bookworm (security)6.1.85-1fixed
sid, trixie6.7.12-1fixed
linux-5.10 (PTS)buster (security)5.10.209-2~deb10u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
linuxsourcebuster(not affected)
linuxsourcebullseye5.10.191-1DSA-5480-1
linuxsource(unstable)5.18.2-1
linux-5.10sourcebuster5.10.197-1~deb10u1DLA-3623-1

Notes

[buster] - linux <not-affected> (Vulnerable code not present)
https://source.android.com/security/bulletin/pixel/2023-07-01
https://yanglingxi1993.github.io/dirty_pagetable/dirty_pagetable.html
https://www.openwall.com/lists/oss-security/2023/07/14/2
https://www.openwall.com/lists/oss-security/2023/07/25/9
https://twitter.com/VAR10CK/status/1683303642173153280
Search for package or bug name: Reporting problems