Login Sign Up

CVE-2023-1295

7.8 HIGH

📋 TL;DR

A time-of-check to time-of-use (TOCTOU) vulnerability in the Linux kernel's io_uring subsystem allows a local user to escalate privileges to root. This affects Linux kernel versions 5.6 through 5.11. The vulnerability exists in the IORING_OP_CLOSE operation where race conditions can be exploited.

💻 Affected Systems

Products:
  • Linux kernel
Versions: 5.6 through 5.11 (inclusive)
Operating Systems: Linux distributions using affected kernel versions
Default Config Vulnerable: ⚠️ Yes
Notes: Systems must have io_uring enabled (default in affected versions). Requires local user access to exploit.

📦 What is this software?

H300s by Netapp

View all CVEs affecting H300s →

H410c by Netapp

View all CVEs affecting H410c →

H410s by Netapp

View all CVEs affecting H410s →

H500s by Netapp

View all CVEs affecting H500s →

H700s by Netapp

View all CVEs affecting H700s →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains full root privileges, compromising the entire system and potentially accessing all data and resources.

🟠

Likely Case

Local user with existing access escalates to root, enabling installation of persistent malware, data exfiltration, or lateral movement.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to the compromised user's scope, but root access still poses significant risk.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring existing local access to the system.
🏢 Internal Only: HIGH - Any compromised local account can escalate to root, making this critical for multi-user systems and servers.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires local access and race condition triggering. Proof-of-concept code has been published in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions with commit 9eac1904d3364254d622bf2c771c4f85cd435fc2 or later

Vendor Advisory: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=788d0824269bef539fe31a785b1517882eafed93

Restart Required: Yes

Instructions:

1. Update Linux kernel to version 5.12 or later. 2. For affected stable branches (5.10, 5.11), apply backported patch 788d0824269bef539fe31a785b1517882eafed93. 3. Reboot system to load new kernel.

🔧 Temporary Workarounds

Disable io_uring module

linux

Prevent loading of the vulnerable io_uring subsystem

echo 'blacklist io_uring' >> /etc/modprobe.d/blacklist-io_uring.conf
update-initramfs -u
reboot

Restrict user access

all

Limit local user accounts and implement strict access controls

🧯 If You Can't Patch

  • Implement strict user access controls and monitor for privilege escalation attempts
  • Deploy security monitoring tools to detect exploitation patterns and unauthorized root access

🔍 How to Verify

Check if Vulnerable:

Check kernel version: uname -r. If version is between 5.6 and 5.11 inclusive, system is vulnerable.

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is 5.12+ or check for patch commit in kernel source: grep -q '9eac1904d3364254d622bf2c771c4f85cd435fc2' /proc/version_signature

📡 Detection & Monitoring

Log Indicators:

  • Unusual privilege escalation events in audit logs
  • Multiple failed IORING_OP_CLOSE operations
  • Unexpected root user activity from non-privileged accounts

Network Indicators:

  • None - this is a local exploit

SIEM Query:

source="audit.log" AND (event_type="SYSCALL" AND syscall="io_uring_enter" AND result="-EPERM") OR (user="root" AND source_user!="root")

📊 Metadata

CVE ID: CVE-2023-1295
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-367
Published: June 28, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-1295, you might also want to check these:

CVE-2026-25641 10.0

CVE-2026-25641 is a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attack...

Same vulnerability type (CWE-367)
CVE-2025-64180 10.0

A critical TOCTOU vulnerability in Manager accounting software allows attackers to bypass DNS valida...

Same vulnerability type (CWE-367)
CVE-2025-13032 9.9

A double fetch vulnerability in the sandbox kernel driver of Avast/AVG Antivirus on Windows allows l...

Same vulnerability type (CWE-367)