CVE-2023-39192

NameCVE-2023-39192
DescriptionA flaw was found in the Netfilter subsystem in the Linux kernel. The xt_u32 module did not validate the fields in the xt_u32 structure. This flaw allows a local privileged attacker to trigger an out-of-bounds read by setting the size fields with a value beyond the array boundaries, leading to a crash or information disclosure.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
linux (PTS)buster4.19.249-2vulnerable
buster (security)4.19.289-2vulnerable
bullseye5.10.197-1fixed
bullseye (security)5.10.191-1vulnerable
bookworm6.1.55-1fixed
bookworm (security)6.1.52-1vulnerable
trixie6.5.10-1fixed
sid6.5.13-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
linuxsourcebullseye5.10.197-1
linuxsourcebookworm6.1.55-1
linuxsource(unstable)6.5.3-1

Notes

https://www.zerodayinitiative.com/advisories/ZDI-23-1490/
https://git.kernel.org/linus/69c5d284f67089b4750d28ff6ac6f52ec224b330 (6.6-rc1)
Search for package or bug name: Reporting problems