A heap out-of-bounds write vulnerability in the Linux kernel's Linux Kernel Performance Events (perf) component can be exploited to achieve local privilege escalation.
If perf_read_group() is called while an event's sibling_list is smaller than its child's sibling_list, it can increment or write to memory locations outside of the allocated buffer.
We recommend upgrading past commit 32671e3799ca2e4590773fd0e63aaa4229e50c06.
Platform | Package | Release Date | Advisory |
---|---|---|---|
Amazon Linux 1 | kernel | 2023-11-10 17:32 | ALAS-2023-1883 |
Amazon Linux 2 - Core | kernel | 2023-11-09 19:19 | ALAS2-2023-2340 |
Amazon Linux 2 - Kernel-5.10 Extra | kernel | 2023-11-09 20:27 | ALAS2KERNEL-5.10-2023-043 |
Amazon Linux 2 - Kernel-5.15 Extra | kernel | 2023-11-09 20:27 | ALAS2KERNEL-5.15-2023-030 |
Amazon Linux 2 - Kernel-5.4 Extra | kernel | 2023-11-09 20:26 | ALAS2KERNEL-5.4-2023-056 |
Amazon Linux 2023 | kernel | 2023-11-09 21:29 | ALAS2023-2023-430 |
Amazon Linux 2023 | kernel-livepatch-6.1.49-69.116 | 2023-12-06 07:53 | ALAS2023LIVEPATCH-2023-025 |
Amazon Linux 2023 | kernel-livepatch-6.1.49-70.116 | 2023-12-06 07:53 | ALAS2023LIVEPATCH-2023-026 |
Amazon Linux 2023 | kernel-livepatch-6.1.52-71.125 | 2023-12-06 07:53 | ALAS2023LIVEPATCH-2023-024 |
Amazon Linux 2023 | kernel-livepatch-6.1.55-75.123 | 2023-12-06 07:53 | ALAS2023LIVEPATCH-2023-023 |
Amazon Linux 2023 | kernel-livepatch-6.1.56-82.125 | 2023-12-06 07:52 | ALAS2023LIVEPATCH-2023-021 |
Amazon Linux 2023 | kernel-livepatch-6.1.59-84.139 | 2023-12-06 07:52 | ALAS2023LIVEPATCH-2023-022 |
Score Type | Score | Vector | |
---|---|---|---|
Amazon Linux | CVSSv3 | 7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
NVD | CVSSv3 | 7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |