Linux kernel copy_file_range CAP_SEEK privilege bypass
CVE-2023-5369 Published on October 4, 2023
Before correction, the copy_file_range system call checked only for the CAP_READ and CAP_WRITE capabilities on the input and output file descriptors, respectively. Using an offset is logically equivalent to seeking, and the system call must additionally require the CAP_SEEK capability. This incorrect privilege check enabled sandboxed processes with only read or write but no seek capability on a file descriptor to read data from or write data to an arbitrary location within the file corresponding to that file descriptor.
Weakness Type
Improper Check for Dropped Privileges
The software attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded. If the drop fails, the software will continue to run with the raised privileges, which might provide additional access to unprivileged users.
Products Associated with CVE-2023-5369
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2023-5369 are published in these products:
Affected Versions
FreeBSD:- Version 13.2-RELEASE and below p4 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.