CVE-2023-4208: 
Linux Kernel vulnerability analysis and mitigation

A use-after-free vulnerability was discovered in the Linux kernel's net/sched: cls_u32 component that can be exploited to achieve local privilege escalation. The vulnerability was identified in September 2023 and affects Linux kernel versions prior to the fix implemented in commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81. The issue occurs when u32_change() is called on an existing filter, where the tcf_result struct is copied into the new instance of the filter (Kernel Commit).

The vulnerability stems from a design flaw where when u32_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free condition. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability can be exploited to achieve local privilege escalation. By using unprivileged user namespaces, attackers can potentially elevate their privileges on the affected system. The issue affects multiple Linux distributions and versions, including various Ubuntu releases and Debian systems (Ubuntu Security).

The vulnerability has been fixed in Linux kernel commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81. The fix involves no longer copying the tcf_result struct from the old filter. Multiple Linux distributions have released patches, including Ubuntu and Debian. Users are strongly recommended to upgrade their kernel to versions containing the fix (Kernel Commit).