{"uuid": "eae628a8-5c90-43ed-8568-68c83143c27b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-52439", "type": "seen", "source": "https://t.me/arpsyndicate/3833", "content": "#ExploitObserverAlert\n\nCVE-2023-52439\n\nDESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2023-52439. In the Linux kernel, the following vulnerability has been resolved:  uio: Fix use-after-free in uio_open  core-1    core-2 ------------------------------------------------------- uio_unregister_device  uio_open     idev = idr_find() device_unregister(&idev->dev) put_device(&idev->dev) uio_device_release     get_device(&idev->dev) kfree(idev) uio_free_minor(minor)     uio_release     put_device(&idev->dev)     kfree(idev) -------------------------------------------------------  In the core-1 uio_unregister_device(), the device_unregister will kfree idev when the idev->dev kobject ref is 1. But after core-1 device_unregister, put_device and before doing kfree, the core-2 may get_device. Then: 1. After core-1 kfree idev, the core-2 will do use-after-free for idev. 2. When core-2 do uio_release and put_device, the idev will be double    freed.  To address this issue, we can get idev atomic & inc idev reference with minor_lock.", "creation_timestamp": "2024-02-21T15:12:02.000000Z"}