Hello Linux users,

Today, I’m alerting you of two critical vulnerabilities recently discovered in the Linux kernel, both of which received a National Vulnerability Database base score of 9.8 out of 10 due to how simple they are for attackers to exploit and their severe threat to affected systems.

Remote attackers could leverage these flaws to escalate privilege via network access and execute arbitrary code or carry out denial of service attacks on impacted systems, leading to loss of system access.

Read on to learn about other significant vulnerabilities recently discovered and fixed in your open-source programs and applications.

We're here to help you with any questions you have, or provide further guidance on how to upgrade your systems! Please email This email address is being protected from spambots. You need JavaScript enabled to view it. or reach out to us on X @lnxsec 

Give your friends the gift of security this holiday season! If you found today’s newsletter helpful and informative, please share it with a friend - or a few. Do you have a Linux security-related topic you'd like to cover for our audience? We welcome contributions from passionate and insightful community members who share our enthusiasm for Linux security!

Stay safe out there,

Brittany Signature 150

Linux Kernel

The Discovery 

Two critical vulnerabilities were recently discovered in the Linux kernel, which both received a National Vulnerability Database base score of 9.8 out of 10 due to how simple they are for attackers to exploit and their severe threat to impacted systems. CVE-2023-45871 is a buffer overflow vulnerability due to improper validation of received frames larger than the set MTU size in the Intel(R) PCI-Express Gigabit (igb) Ethernet driver in the Linux kernel. CVE-2023-25775 exists because the InfiniBand RDMA driver in the Linux kernel does not properly check for zero-length STAG or MR registration.

LinuxKernel

The Impact

These impactful bugs could enable a remote attacker to escalate privilege via network access and execute arbitrary code or carry out denial of service attacks, leading to loss of system access, data theft, or system hijacking.

The Fix

Essential updates for the Linux kernel have been released to mitigate these critical flaws. Given these vulnerabilities’ severe threat to affected systems, if left unpatched, we urge all impacted users to update as soon as possible. Doing so will protect against downtime and system compromise.

Your Related Advisories:

Register to Customize Your Advisories

Thunderbird

The Discovery 

Multiple severe vulnerabilities were found in the popular Thunderbird email client, including memory safety bugs that could be exploited to run arbitrary code or access sensitive data (CVE-2023-5730, CVE-2023-5721, and CVE-2023-6212) and a use-after-free in ReadableByteStreams due to ownership mismanagement (CVE-2023-6207). These bugs have been classified by the National Vulnerability Database as “high-severity” due to their widespread impact and damaging repercussions on affected systems.

Thunderbird

The Impact

These bugs could result in denial of service attacks, leading to loss of system access or the execution of arbitrary code, potentially resulting in data theft or system hijacking.

The Fix

An important Thunderbird has been released to mitigate these severe flaws. Given these vulnerabilities’ significant threat to affected systems, if left unpatched, we strongly recommend that all impacted users update as soon as possible. Doing so will protect against information loss, system compromise, and inconvenient, costly downtime due to an attack.

Your Related Advisories:

Register to Customize Your Advisories

Chromium

The Discovery 

More Linux distros have issued security advisory updates for a severe use-after-free vulnerability recently found in the popular open-source Chromium web browser (CVE-2023-5472). This bug enables a remote attacker to exploit heap corruption via a crafted HTML page. The flaw, which has received a National Vulnerability Database base score of 8.8 out of 10 (“High” severity), is related to a bug in the webRTC (Real-time Communication) functionality. This Chromium vulnerability is among the most severe threats to your personal information we’ve seen in quite a while!

Chromium

The Impact

This bug allows attackers to access portions of your computer's memory without authorization, potentially resulting in the unauthorized sharing of your personal information.

The Fix

Chromium has released a crucial security update that fixes this dangerous issue. Given this vulnerability's severe threat to affected systems, if left unpatched, we urge all impacted users who have not yet updated to the latest version of Chromium to update now. Patching will protect against loss of system access, system compromise, and data leakage, so don’t delay!

Your Related Advisories:

Register to Customize Your Advisories