Introducing Qwiet AI AutoFix! Reduce the time to secure code by 95% Read More

Fedora Linux has long been a favorite operating system (OS) for developers looking for an innovative, free environment. Originally developed and now sponsored by Red Hat, the open-source Fedora Project has a little something for everyone with its Workstation, Server, Internet of Things (IoT), Virtual Machine (VM), and container-optimized CoreOS options. 

As a trusted open-source OS, attackers will seek to exploit any vulnerabilities to poison the supply stream. Knowing these 39 Fedora Linux 38 vulnerabilities can help you secure your applications more effectively.

What is Fedora Linux 38 (F38)?

Fedora Linux 38 (F38) is the most recent release of the popular open-source OS. With F38’s April 2023 release, the Fedora Project brought developers:

  • New Spins that showcase different desktop environments
  • A mobile device image for Pinephone, Pinephone Pro, Pinetab, and Librem devices
  • Desktop experience enhancements, including a new lock screen, “background apps” on the quick menu, and accessibility setting improvements
  • Sysadmin improvements with the lighter-weight default package manager microdnf

39 F38 Vulnerabilities You Should Know

Although only released in April 2023, 158 vulnerabilities in F38 had been identified by September. However, since not all of those vulnerabilities pose the same risk, this list is based on the following factors:

  • Listed in the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Known Exploited Vulnerability (KEV) list
  • Exploit Prediction Scoring System (EPSS) rating above 1%, indicating the likelihood of exploitation in the next 30 days
  • Maximum base Common Vulnerability Scoring System (CVSS) score of 8.8 or above

The 39 F38 vulnerabilities you should be worried about are:

  1. CVE-2023-2136 (KEV): allowed a remote attacker who compromised the renderer process to perform a sandbox escape potentially via a crafted HTML page
  2. CVE-2023-3079 (KEV): allowed remote attacker to potentially exploit heap corruption via a crafted HTML page
  3. CVE-2023-34966 (EPSS 7.93%): allows an attacker to trigger an infinite loop by issuing a malformed RPC request that results in a denial of service (DoS) condition  
  4. CVE-2023-34967 (EPSS 7.55%): allows an attacker to trigger a process crash because multiple client connections share an RPC worker process, so affecting one shared RPC mdssvc worker process affects other clients this worker serves
  5. CVE-2023-38408 (EPSS 3.65%): allows attackers to execute code remotely if an agent is forwarded to an attacker-controlled system, related to an incomplete fix for CVE-2016-10009
  6. CVE-2023-24805: allows attackers with network access to a hosted print server to inject system commands that the running server can execute.
  7. CVE-2022-24834: allows attackers with specially crafted Lua scripts executing in Redis to trigger a heap overflow that results in heap corruption and potential remote code execution. 
  8. CVE-2023-34152: causes a remote code exec