CVE-2023-1249 Overview
CVE-2023-1249 is a use-after-free [CWE-416] vulnerability in the Linux kernel's core dump subsystem. The flaw allows a local, authenticated user to trigger a kernel crash, resulting in denial of service. The issue exists in kernels that have not applied commit 390031c94211 ("coredump: Use the vma snapshot in fill_files_note"). Exploitation requires local access with low privileges and no user interaction. The vulnerability affects availability only, with no impact to confidentiality or integrity.
Critical Impact
Local users can crash the kernel through the core dump subsystem, disrupting system availability on unpatched Linux distributions.
Affected Products
- Linux Kernel (versions prior to the inclusion of commit 390031c94211)
- CentOS Stream 9 distributions missing the upstream fix
- Downstream Linux distributions shipping unpatched kernel builds
Discovery Timeline
- 2023-03-23 - CVE-2023-1249 published to NVD
- 2025-03-19 - Last updated in NVD database
Technical Details for CVE-2023-1249
Vulnerability Analysis
The vulnerability resides in the Linux kernel's coredump path, specifically in the fill_files_note function. This function records information about files mapped into a process when generating a core dump. Before the fix, fill_files_note iterated over the live virtual memory area (VMA) list without holding consistent state. Concurrent modifications to the process address space during core dump generation could leave dangling references to freed VMA structures. Dereferencing those freed objects produces a use-after-free condition that destabilizes the kernel.
The upstream remediation, commit 390031c94211, switches fill_files_note to consume the pre-built VMA snapshot taken earlier in the coredump flow. Operating on the snapshot removes the race window because the data is no longer subject to concurrent teardown.
Root Cause
The root cause is unsynchronized access to VMA structures during core dump generation. The kernel freed VMAs that fill_files_note still referenced, satisfying the classic use-after-free pattern described by [CWE-416]. Successful triggering crashes the kernel rather than yielding code execution, consistent with the availability-only impact.
Attack Vector
Exploitation is local. An attacker with the ability to execute code as an unprivileged user induces a crashing process that produces a core dump while simultaneously manipulating the process address space. Timing the address space changes against the coredump path triggers the freed-memory dereference. No network access, no elevated privileges, and no user interaction are required.
No public proof-of-concept is referenced in the advisory data, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. See the Kernel Patch Submission Discussion for upstream technical details.
Detection Methods for CVE-2023-1249
Indicators of Compromise
- Unexpected kernel oops or panic entries in dmesg or /var/log/messages referencing fill_files_note or the coredump path.
- Repeated process crashes from a single unprivileged user followed by kernel instability.
- Core dump generation events correlated in time with kernel fault traces.
Detection Strategies
- Inventory running kernel versions and compare against vendor advisories to identify hosts missing commit 390031c94211.
- Audit kernel crash telemetry for stack traces involving do_coredump, elf_core_dump, or fill_files_note.
- Monitor for abnormal volumes of SIGSEGV or SIGABRT events from non-privileged accounts that produce core files.
Monitoring Recommendations
- Forward kernel ring buffer messages and kdump artifacts to a centralized log platform for analysis.
- Alert on host availability drops, unplanned reboots, or kdump captures on Linux systems running susceptible kernels.
- Track use of prctl(PR_SET_DUMPABLE) and core pattern modifications by unprivileged processes.
How to Mitigate CVE-2023-1249
Immediate Actions Required
- Apply the upstream Linux kernel fix that introduces commit 390031c94211 ("coredump: Use the vma snapshot in fill_files_note").
- Update to a distribution kernel package that backports the patch, prioritizing systems exposed to multi-tenant or untrusted local users.
- Reboot affected hosts after kernel package installation so the patched image becomes active.
Patch Information
The authoritative fix is upstream Linux kernel commit 390031c94211. Refer to the Kernel Patch Submission Discussion and the Packet Storm Security Advisory for distribution-specific guidance. CentOS Stream 9 administrators should verify their installed kernel includes the backport.
Workarounds
- Disable core dump generation for untrusted workloads by setting ulimit -c 0 or configuring /proc/sys/kernel/core_pattern to discard dumps.
- Restrict local shell access on multi-user systems to reduce the population of accounts able to trigger the race.
- Apply seccomp or process limits that constrain unprivileged users from rapidly creating crashing children that emit core files.
# Configuration example: disable core dumps system-wide until patched
echo '* hard core 0' | sudo tee -a /etc/security/limits.conf
sudo sysctl -w kernel.core_pattern=/dev/null
sudo sysctl -w fs.suid_dumpable=0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
