Two vulnerabilities have been identified in the Linux kernel (CVE-2023-1281, CVE-2023-1829) that allow a local user to elevate their privileges in the system. The attack requires the authority to create and modify traffic classifiers, available with the CAP_NET_ADMIN rights, which can be obtained with the ability to create user namespaces. Problems appear since the 4.14 kernel and are fixed in the 6.2 branch.
The vulnerabilities are caused by accessing memory after it is freed (use-after-free) in the tcindex traffic classifier code, which is part of the QoS (Quality of service) subsystem of the Linux kernel. The first vulnerability manifests itself due to a race condition when updating non-optimal hash filters, and the second vulnerability when deleting an optimal hash filter. You can track the fix in distributions on the following pages: Debian, Ubuntu, Gentoo, RHEL, SUSE, Fedora, Gentoo, Arch. To block the exploitation of the vulnerability in a workaround, you can disable the ability to create namespaces by unprivileged users ("sudo sysctl -w kernel.unprivileged_userns_clone=0").
Source: opennet.ru