{ "threat_severity" : "Low", "public_date" : "2025-12-24T00:00:00Z", "bugzilla" : { "description" : "kernel: vdpa: Add queue index attr to vdpa_nl_policy for nlattr length check", "id" : "2424991", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2424991" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-125", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nvdpa: Add queue index attr to vdpa_nl_policy for nlattr length check\nThe vdpa_nl_policy structure is used to validate the nlattr when parsing\nthe incoming nlmsg. It will ensure the attribute being described produces\na valid nlattr pointer in info->attrs before entering into each handler\nin vdpa_nl_ops.\nThat is to say, the missing part in vdpa_nl_policy may lead to illegal\nnlattr after parsing, which could lead to OOB read just like CVE-2023-3773.\nThis patch adds the missing nla_policy for vdpa queue index attr to avoid\nsuch bugs.", "An out-of-bounds read vulnerability was found in the Linux kernel's vDPA (virtio Data Path Acceleration) netlink interface. The vdpa_nl_policy structure was missing the nla_policy entry for the queue index attribute. Without proper validation, parsing netlink messages with this attribute could result in an invalid nlattr pointer, leading to out-of-bounds memory reads similar to CVE-2023-3773." ], "statement" : "This flaw affects systems using vDPA for virtio device acceleration, typically in virtualization environments. The missing netlink attribute validation allows crafted netlink messages to cause OOB reads. Exploitation requires the ability to send netlink messages to the vDPA subsystem, which typically requires CAP_NET_ADMIN privileges or root access.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-54031\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-54031\nhttps://lore.kernel.org/linux-cve-announce/2025122437-CVE-2023-54031-90af@gregkh/T" ], "name" : "CVE-2023-54031", "csaw" : false }