Bugzilla – Bug 1211530
VUL-0: CVE-2023-32248: kernel: Linux Kernel ksmbd Tree Connection NULL Pointer Dereference Denial-of-Service Vulnerability
Last modified: 2023-05-25 06:26:31 UTC
CVE-2023-32248 This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Linux Kernel. Authentication is not required to exploit this vulnerability, but only systems with ksmbd enabled are vulnerable. The specific flaw exists within the handling of SMB2_TREE_CONNECT and SMB2_QUERY_INFO commands. The issue results from the lack of proper validation of a pointer prior to accessing it. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-32248 https://www.zerodayinitiative.com/advisories/ZDI-23-696/
Reassigning to a concrete person to ensure progress [1] (feel free to pass to next one), see also the process at [2]. The report translates to https://github.com/torvalds/linux/commit/3ac00a2ab69b34189942afa9e862d5170cdcb018 Possibly needed in the `stable` branch before v6.4 is out. [1] https://confluence.suse.com/display/KSS/Kernel+Security+Sentinel [2] https://wiki.suse.net/index.php/SUSE-Labs/Kernel/Security