DEBIAN-CVE-2023-3609

DEBIAN-CVE-2023-3609 PUBLISHED CVSS 7.800000190734863 HIGH

A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation. If tcf_change_indev() fails, u32_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability. We recommend upgrading past commit 04c55383fa5689357bcdd2c8036725a55ed632bc.

Risk Scores

CVSS v3.1

7.800000190734863

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products

Vendor	Product	Versions
Debian	linux
Debian:11	linux	0, 5.10.84-1, 5.10.92-1
Debian:12	linux	6.1.27-1, 0, 6.1.27-1
Debian:13	linux	0, 0, 0
Debian:14	linux	0, 0, 0

Timeline

Jul 21, 2023 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2023-3609 advisory

Open in Interactive Console →