CVE-2023-52996
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
27/03/2025
Last modified:
30/10/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
ipv4: prevent potential spectre v1 gadget in fib_metrics_match()<br />
<br />
if (!type)<br />
continue;<br />
if (type > RTAX_MAX)<br />
return false;<br />
...<br />
fi_val = fi->fib_metrics->metrics[type - 1];<br />
<br />
@type being used as an array index, we need to prevent<br />
cpu speculation or risk leaking kernel memory content.
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.14 (including) | 5.4.231 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.166 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.91 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.9 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.2:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.2:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.2:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.2:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.2:rc5:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/5e9398a26a92fc402d82ce1f97cc67d832527da0
- https://git.kernel.org/stable/c/7f9828fb1f688210e681268490576f0ca65c322a
- https://git.kernel.org/stable/c/8f0eb24f1a7a60ce635f0d757a46f1a37a4d467d
- https://git.kernel.org/stable/c/ca3cf947760de050d558293002ad3e7f4b8745d2
- https://git.kernel.org/stable/c/f9753ebd61be2d957b5504cbd3fd719674f05b7a