Linux community members: we’ve got important security updates for you! Exploit code will soon become available for a critical vulnerability in the Linux kernel that a security researcher discovered and reported in mid-June. Dubbed StackRot (CVE-2023-3269), this severe bug enables attackers to escalate privileges and threatens the confidentiality, integrity and availability of impacted systems. Be sure to update your systems now to stay safe and secure.

But wait, there's more! We uncover other significant discoveries and fixes, including a code execution bug that has been fixed in the WebKitGTK web engine that may have been actively exploited, and several important DoS and code execution vulnerabilities that have been addressed in the Vim enhanced vi editor. Keep reading to learn more about these issues and how to protect against them.  

Yours in Open Source,

Brittany Signature 150 Esm W150

Linux Kernel

The Discovery 

Exploit code will soon become available for a critical vulnerability in the Linux kernel that a security researcher discovered and reported in mid-June. Dubbed StackRot (CVE-2023-3269), this bug impacts the Linux kernel 6.1 through 6.4. The data structure for managing virtual memory spaces in the Linux kernel handles a particular memory management function in a manner that results in use-after-free-by-RCU (UAFBR) issues. The security researcher who discovered StackRot, Ruihan Li, describes the exploit for StackRot as likely the first to successfully exploit a UAFBR bug.

LinuxKernel Esm W206

The Impact

This flaw gives attackers a way to escalate privileges on affected systems.

The Fix

Important updates for the kernel that mitigate this severe vulnerability have been released. With a low attack complexity and a high confidentiality, integrity and availability impact, it is crucial that all impacted users apply the Linux kernel updates issued by their distro(s) immediately to protect against attacks leading to system downtime and compromise.

Your Related Advisories:

[distro_list_1]

WebKitGTK

The Discovery 

A type confusion issue that may have been actively exploited has been identified in the WebKitGTK web engine (CVE-2023-32439). With a low attack complexity and a high confidentiality, integrity and availability impact, this vulnerability has received a National Vulnerability Database severity rating of High.

Webkitgtk Esm W225

The Impact

This flaw may lead to arbitrary code execution by processing maliciously crafted web content. 

The Fix

An important WebKitGTK security update that fixes this bug has been released. We urge all impacted users to apply the WebKitGTK updates issued by their distro(s) as soon as possible to protect the confidentiality, integrity and availability of their systems and their sensitive data.

Your Related Advisories:

[distro_list_2]

Vim

The Discovery 

Several important security issues were discovered in the Vim enhanced vi editor, including an out-of-bounds read vulnerability (CVE-2022-0128), improper memory management when recording and using select mode (CVE-2022-0393), and incorrect handling of certain memory operations during a visual block yank (CVE-2022-0407). Due to their high confidentiality, integrity and availability impact, these bugs have received a National Vulnerability Database severity rating of High.

Vim Esm W224

The Impact

​​An attacker could possibly use these issues to cause a denial of service (DoS) or execute arbitrary code.

The Fix

An update for Vim that fixes these flaws is now available. We strongly recommend that all impacted users apply the Vim updates issued by their distro(s) immediately to prevent downtime or compromise due to an attack.

Your Related Advisories:

[distro_list_3]