CVE-2023-52997
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
27/03/2025
Last modified:
30/10/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
ipv4: prevent potential spectre v1 gadget in ip_metrics_convert()<br />
<br />
if (!type)<br />
continue;<br />
if (type > RTAX_MAX)<br />
return -EINVAL;<br />
...<br />
metrics[type - 1] = val;<br />
<br />
@type being used as an array index, we need to prevent<br />
cpu speculation or risk leaking kernel memory content.
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.3 (including) | 4.19.272 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.20 (including) | 5.4.231 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.166 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.91 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.9 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.2:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.2:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.2:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.2:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.2:rc5:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/1d1d63b612801b3f0a39b7d4467cad0abd60e5c8
- https://git.kernel.org/stable/c/34c6142f0df9cd75cba5a7aa9df0960d2854b415
- https://git.kernel.org/stable/c/6850fe301d015a7d2012d1de8caf43dafb7cc2f6
- https://git.kernel.org/stable/c/746db9ec1e672eee13965625ddac0d97e16fa20c
- https://git.kernel.org/stable/c/d50e7348b44f1e046121ff5be01b7fb6978a1149
- https://git.kernel.org/stable/c/ef050cf5fb70d995a0d03244e25179b7c66a924a