CVE-2023-6546 | THREATINT

Description

A race condition was found in the GSM 0710 tty multiplexor in the Linux kernel. This issue occurs when two threads execute the GSMIOC_SETCONF ioctl on the same tty file descriptor with the gsm line discipline enabled, and can lead to a use-after-free problem on a struct gsm_dlci while restarting the gsm mux. This could allow a local unprivileged user to escalate their privileges on the system.

PUBLISHED Reserved 2023-12-06 | Published 2023-12-21 | Updated 2025-09-25 | Assigner redhat

HIGH: 7.0CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

Use After Free

Product status

Default status

affected

0:4.18.0-513.24.1.rt7.326.el8_9 (rpm) before *

unaffected

Default status

affected

0:4.18.0-513.24.1.el8_9 (rpm) before *

unaffected

Default status

unaffected

Default status

affected

0:4.18.0-193.136.1.el8_2 (rpm) before *

unaffected

Default status

affected

0:4.18.0-305.134.1.el8_4 (rpm) before *

unaffected

Default status

affected

0:4.18.0-305.134.1.rt7.210.el8_4 (rpm) before *

unaffected

Default status

affected

0:4.18.0-305.134.1.el8_4 (rpm) before *

unaffected

Default status

affected

0:4.18.0-305.134.1.el8_4 (rpm) before *

unaffected

Default status

unaffected

Default status

affected

0:4.18.0-372.93.1.el8_6 (rpm) before *

unaffected

Default status

unaffected

Default status

affected

0:4.18.0-477.55.1.el8_8 (rpm) before *

unaffected

Default status

unaffected

Default status

affected

0:5.14.0-427.13.1.el9_4 (rpm) before *

unaffected

Default status

affected

0:5.14.0-427.13.1.el9_4 (rpm) before *

unaffected

Default status

affected

0:5.14.0-70.93.2.el9_0 (rpm) before *

unaffected

Default status

affected

0:5.14.0-70.93.1.rt21.165.el9_0 (rpm) before *

unaffected

Default status

unaffected

Default status

affected

0:5.14.0-284.55.1.el9_2 (rpm) before *

unaffected

Default status

affected

0:5.14.0-284.55.1.rt14.340.el9_2 (rpm) before *

unaffected

Default status

unaffected

Default status

affected

0:4.18.0-372.93.1.el8_6 (rpm) before *

unaffected

Default status

affected

v5.7.13-16 (rpm) before *

unaffected

Default status

affected

v5.7.13-7 (rpm) before *

unaffected

Default status

affected

v6.8.1-408 (rpm) before *

unaffected

Default status

affected

v5.7.13-19 (rpm) before *

unaffected

Default status

affected

v1.0.0-480 (rpm) before *

unaffected

Default status

affected

v5.7.13-9 (rpm) before *

unaffected

Default status

affected

v0.4.0-248 (rpm) before *

unaffected

Default status

affected

v1.14.6-215 (rpm) before *

unaffected

Default status

affected

v6.8.1-431 (rpm) before *

unaffected

Default status

affected

v1.1.0-228 (rpm) before *

unaffected

Default status

affected

v5.8.1-471 (rpm) before *

unaffected

Default status

affected

v2.9.6-15 (rpm) before *

unaffected

Default status

affected

v5.7.13-3 (rpm) before *

unaffected

Default status

affected

v5.7.13-27 (rpm) before *

unaffected

Default status

affected

v5.7.13-12 (rpm) before *

unaffected

Default status

affected

v0.1.0-527 (rpm) before *

unaffected

Default status

affected

v0.1.0-225 (rpm) before *

unaffected

Default status

affected

v0.28.1-57 (rpm) before *

unaffected

Default status

unaffected

Default status

unaffected

Default status

unaffected

Default status

affected

Timeline

2023-12-18:	Reported to Red Hat.
2023-12-21:	Made public.

References

www.openwall.com/lists/oss-security/2024/04/10/18

www.openwall.com/lists/oss-security/2024/04/10/21

www.openwall.com/lists/oss-security/2024/04/11/7

www.openwall.com/lists/oss-security/2024/04/11/9

www.openwall.com/lists/oss-security/2024/04/12/1

www.openwall.com/lists/oss-security/2024/04/12/2

www.openwall.com/lists/oss-security/2024/04/16/2

www.openwall.com/lists/oss-security/2024/04/17/1

access.redhat.com/errata/RHSA-2024:0930 (RHSA-2024:0930) vendor-advisory

access.redhat.com/errata/RHSA-2024:0937 (RHSA-2024:0937) vendor-advisory

access.redhat.com/errata/RHSA-2024:1018 (RHSA-2024:1018) vendor-advisory

access.redhat.com/errata/RHSA-2024:1019 (RHSA-2024:1019) vendor-advisory

access.redhat.com/errata/RHSA-2024:1055 (RHSA-2024:1055) vendor-advisory

access.redhat.com/errata/RHSA-2024:1250 (RHSA-2024:1250) vendor-advisory

access.redhat.com/errata/RHSA-2024:1253 (RHSA-2024:1253) vendor-advisory

access.redhat.com/errata/RHSA-2024:1306 (RHSA-2024:1306) vendor-advisory

access.redhat.com/errata/RHSA-2024:1607 (RHSA-2024:1607) vendor-advisory

access.redhat.com/errata/RHSA-2024:1612 (RHSA-2024:1612) vendor-advisory

access.redhat.com/errata/RHSA-2024:1614 (RHSA-2024:1614) vendor-advisory

access.redhat.com/errata/RHSA-2024:2093 (RHSA-2024:2093) vendor-advisory

access.redhat.com/errata/RHSA-2024:2394 (RHSA-2024:2394) vendor-advisory

access.redhat.com/errata/RHSA-2024:2621 (RHSA-2024:2621) vendor-advisory

access.redhat.com/errata/RHSA-2024:2697 (RHSA-2024:2697) vendor-advisory

access.redhat.com/errata/RHSA-2024:4577 (RHSA-2024:4577) vendor-advisory

access.redhat.com/errata/RHSA-2024:4729 (RHSA-2024:4729) vendor-advisory

access.redhat.com/errata/RHSA-2024:4731 (RHSA-2024:4731) vendor-advisory

access.redhat.com/security/cve/CVE-2023-6546 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2255498 (RHBZ#2255498) issue-tracking

github.com/...ommit/3c4f8333b582487a2d1e02171f1465531cde53e3

www.zerodayinitiative.com/advisories/ZDI-CAN-20527

access.redhat.com/errata/RHSA-2024:0930 (RHSA-2024:0930) vendor-advisory

access.redhat.com/errata/RHSA-2024:0937 (RHSA-2024:0937) vendor-advisory

access.redhat.com/errata/RHSA-2024:1018 (RHSA-2024:1018) vendor-advisory

access.redhat.com/errata/RHSA-2024:1019 (RHSA-2024:1019) vendor-advisory

access.redhat.com/errata/RHSA-2024:1055 (RHSA-2024:1055) vendor-advisory

access.redhat.com/errata/RHSA-2024:1250 (RHSA-2024:1250) vendor-advisory

access.redhat.com/errata/RHSA-2024:1253 (RHSA-2024:1253) vendor-advisory

access.redhat.com/errata/RHSA-2024:1306 (RHSA-2024:1306) vendor-advisory

access.redhat.com/errata/RHSA-2024:1607 (RHSA-2024:1607) vendor-advisory

access.redhat.com/errata/RHSA-2024:1612 (RHSA-2024:1612) vendor-advisory

access.redhat.com/errata/RHSA-2024:1614 (RHSA-2024:1614) vendor-advisory

access.redhat.com/errata/RHSA-2024:2093 (RHSA-2024:2093) vendor-advisory

access.redhat.com/errata/RHSA-2024:2394 (RHSA-2024:2394) vendor-advisory

access.redhat.com/errata/RHSA-2024:2621 (RHSA-2024:2621) vendor-advisory

access.redhat.com/errata/RHSA-2024:2697 (RHSA-2024:2697) vendor-advisory

access.redhat.com/errata/RHSA-2024:4577 (RHSA-2024:4577) vendor-advisory

access.redhat.com/errata/RHSA-2024:4729 (RHSA-2024:4729) vendor-advisory

access.redhat.com/errata/RHSA-2024:4731 (RHSA-2024:4731) vendor-advisory

access.redhat.com/errata/RHSA-2024:4970 (RHSA-2024:4970) vendor-advisory

access.redhat.com/security/cve/CVE-2023-6546 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2255498 (RHBZ#2255498) issue-tracking

github.com/...ommit/3c4f8333b582487a2d1e02171f1465531cde53e3

www.zerodayinitiative.com/advisories/ZDI-CAN-20527

cve.org (CVE-2023-6546)

nvd.nist.gov (CVE-2023-6546)

Download JSON