QID 356409

2023-10-12:( CVE-2023-39192 was added to this advisory. 2023-10-12:( CVE-2023-39193 was added to this advisory. 2023-10-12:( CVE-2023-39194 was added to this advisory. a flaw was found in the linux kernels ip framework for transforming packets (xfrm subsystem).
This issue may allow a malicious user with cap_net_admin privileges to directly dereference a null pointer in xfrm_update_ae_params(), leading to a possible kernel crash and denial of service. (
( CVE-2023-3772) netfilter: xt_u32: validate user space input note: https://www.zerodayinitiative.com/advisories/zdi-23-1490/ note: https://git.kernel.org/linus/69c5d284f67089b4750d28ff6ac6f52ec224b330 (6.6-rc1) (cve-2023-39192) netfilter: xt_sctp: validate the flag_info count note: https://www.zerodayinitiative.com/advisories/zdi-23-1491/ note: https://git.kernel.org/linus/e99476497687ef9e850748fe6d232264f30bc8f9 (6.6-rc1) (cve-2023-39193) net: xfrm: fix xfrm_address_filter oob read note: https://www.zerodayinitiative.com/advisories/zdi-23-1492/ note: https://git.kernel.org/linus/dfa73c17d55b921e1d4e154976de35317e43a93a (6.5-rc7) (cve-2023-39194) a use-after-free vulnerability in the linux kernels net/sched: cls_fw component can be exploited to achieve local privilege escalation. when fw_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter.
This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.

Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.