CVE-2023-5633

Kernel: vmwgfx: reference count issue leads to use-after-free in surface handling

Published: 10/23/2023 Last updated: 11/15/2024 Reserved: 10/18/2023

The reference count changes made as part of the CVE-2023-33951 and CVE-2023-33952 fixes exposed a use-after-free flaw in the way memory objects were handled when they were being used to store a surface. When running inside a VMware guest with 3D acceleration enabled, a local, unprivileged user could potentially use this flaw to escalate their privileges.

CNA assigner: redhat (53f830b8-0a3f-465b-8143-3b8a9948e749) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
3.1	7.8	High	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Opam packages affected (27)

albatross cdrom conf-bpftool conf-libbpf conf-linux-libc-dev core core_unix hvsock mirage-block-unix mm ocaml-probes orun rawlink rawlink-eio rawlink-lwt shell solo5 solo5-bindings-hvt solo5-bindings-spt solo5-cross-aarch64 solo5-kernel-ukvm tracy-client tuntap uring vhd-format vhd-format-lwt xapi-stdext-unix

Products affected (11)

Product	Vendor	Version
Red Hat Enterprise Linux 6	Red Hat	< 17.4R3-S5
Red Hat Enterprise Linux 7	Red Hat	< 18.1R3-S13
Red Hat Enterprise Linux 8.8 Extended Update Support	Red Hat	n/a
Red Hat Enterprise Linux 9	Red Hat	< publication
Red Hat Enterprise Linux 9	Red Hat	0
Red Hat Enterprise Linux 9.2 Extended Update Support	Red Hat	All BMC firmware versions prior to 00.19.07
Red Hat Enterprise Linux 8	Red Hat	11.5
Red Hat Enterprise Linux 9	Red Hat	4.50
Red Hat Enterprise Linux 9.2 Extended Update Support	Red Hat	n/a
Red Hat Enterprise Linux 7	Red Hat	< 6.1.11
Red Hat Enterprise Linux 8	Red Hat	< V3.1.2.2

References (16)

Credits (1)

Red Hat would like to thank Murray McAllister (NCC Group APAC) for reporting this issue.