CVE-2023-0266 in Linux and Canonical Products
Published on January 30, 2023

A use after free vulnerability exists in the ALSA PCM package in the Linux Kernel. SNDRV_CTL_IOCTL_ELEM_{READ|WRITE}32 is missing locks that can be used in a use-after-free that can result in a priviledge escalation to gain ring0 access from the system user. We recommend upgrading past commit 56b88b50565cd8b946a2d00b0c83927b7ebb055e

Vendor Advisory NVD

Known Exploited Vulnerability

This Linux Kernel Use-After-Free Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Linux kernel contains a use-after-free vulnerability that allows for privilege escalation to gain ring0 access from the system user.

The following remediation steps are recommended / required by April 20, 2023: Apply updates per vendor instructions.

Vulnerability Analysis

CVE-2023-0266 is exploitable with local system access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 1.8 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.

What is a Dangling pointer Vulnerability?

Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

CVE-2023-0266 has been classified to as a Dangling pointer vulnerability or weakness.

Products Associated with CVE-2023-0266

You can be notified by stack.watch whenever vulnerabilities like CVE-2023-0266 are published in these products:

Linux Kernel

Canonical Ubuntu Linux

What versions are vulnerable to CVE-2023-0266?