A race condition was found in the QXL driver in the Linux kernel. The qxl_mode_dumb_create() function dereferences the qobj returned by the qxl_gem_object_create_with_handle(), but the handle is the only one holding a reference to it. This flaw allows an attacker to guess the returned handle value and trigger a use-after-free issue, potentially leading to a denial of service or privilege escalation.
2023-11-09T20:15:08.730
2024-11-21T08:14:53.863
Modified
CVSSv3.1: 7.5 (HIGH)
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Operating System | linux | linux_kernel | < 6.5 | Yes |
| Operating System | linux | linux_kernel | 6.5 | Yes |
| Operating System | linux | linux_kernel | 6.5 | Yes |
| Operating System | linux | linux_kernel | 6.5 | Yes |
| Operating System | linux | linux_kernel | 6.5 | Yes |
| Operating System | linux | linux_kernel | 6.5 | Yes |
| Operating System | linux | linux_kernel | 6.5 | Yes |
| Operating System | fedoraproject | fedora | 38 | Yes |
| Operating System | redhat | enterprise_linux | 8.0 | Yes |
| Operating System | redhat | enterprise_linux | 9.0 | Yes |