Key Information Vulnerability Description CVE Number: CVE-2023-39176 Public Disclosure Date: June 10, 2024 Last Modified Date: November 15, 2024 Impact Level: Low CVSS v3 Score: 5.8 Vulnerability Details Issue Description: A flaw exists in the transform header within the kernel ksmbd module when parsing SMB2 requests. This issue stems from insufficient validation of user-supplied data, potentially leading to out-of-bounds buffer reads. An attacker could exploit this to disclose sensitive information on affected Linux installations. This vulnerability only exists on systems where ksmbd is enabled. Affected Packages and Red Hat Security Patches Affected Packages: - Red Hat Enterprise Linux 6 - Red Hat Enterprise Linux 7 - Red Hat Enterprise Linux 8 - Red Hat Enterprise Linux 9 Status: Not affected CVSS v3 Score Details CVSS v3 Base Score: 5.8 Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Changed Confidentiality Impact: Low Integrity Impact: None Availability Impact: None Frequently Asked Questions Why does Red Hat’s CVSS v3 score or impact differ from other vendors? My product is listed as “under investigation” or “affected”—when will Red Hat release a patch to fix this vulnerability? If my product is listed as “not being fixed,” what should I do? What are mitigations? I have a Red Hat product, but it’s not listed above—am I affected? Why is my security scanner reporting this vulnerability on my product, even though my product version is patched or unaffected? External References CVE-2023-39176 NVD Details ZDI-24-586 Last Modified Date November 15, 2024, at 5:21:25 PM UTC Copyright CVE description copyright © 2021