CVE-2020-36789: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: can: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard IRQ context If a driver calls can_get_echo_skb() during a hardware IRQ (which is often, but not always, the case), the 'WARN_ON(in_irq)' in net/core/skbuff.c#skb_release_head_state() might be triggered, under network congestion circumstances, together with the potential risk of a NULL pointer dereference. The root cause of this issue is the call to kfree_skb() instead of dev_kfree_skb_irq() in net/core/dev.c#enqueue_to_backlog(). This patch prevents the skb to be freed within the call to netif_rx() by incrementing its reference count with skb_get(). The skb is finally freed by one of the in-irq-context safe functions: dev_consume_skb_any() or dev_kfree_skb_any(). The "any" version is used because some drivers might call can_get_echo_skb() in a normal context. The reason for this issue to occur is that initially, in the core network stack, loopback skb were not supposed to be received in hardware IRQ context. The CAN stack is an exeption. This bug was previously reported back in 2017 in [1] but the proposed patch never got accepted. While [1] directly modifies net/core/dev.c, we try to propose here a smoother modification local to CAN network stack (the assumption behind is that only CAN devices are affected by this issue). [1] http://lore.kernel.org/r/57a3ffb6-3309-3ad5-5a34-e93c3fe3614d@cetitec.com
AI Analysis
Technical Summary
CVE-2020-36789 is a vulnerability in the Linux kernel's Controller Area Network (CAN) subsystem related to improper handling of socket buffers (skbs) during hardware interrupt (IRQ) context. Specifically, the issue arises when the function can_get_echo_skb() is called in a hard IRQ context, which can trigger a WARN_ON(in_irq) warning in skb_release_head_state() under network congestion. The root cause is the inappropriate use of kfree_skb() to free skbs in an IRQ context instead of the IRQ-safe dev_kfree_skb_irq() function. This can lead to a NULL pointer dereference and potential kernel instability or crashes. The vulnerability stems from the fact that the CAN network stack is an exception to the original design assumption that loopback skbs are not received in hardware IRQ context. The patch to fix this issue involves incrementing the skb reference count with skb_get() to prevent premature freeing within netif_rx(), and deferring skb freeing to IRQ-safe functions dev_consume_skb_any() or dev_kfree_skb_any(). This fix is localized to the CAN network stack, as it is believed only CAN devices are affected. The vulnerability was initially reported in 2017 but was not accepted until now. There are no known exploits in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability primarily affects systems running Linux kernels with CAN network stack support, which is common in embedded systems, automotive, industrial control systems, and IoT devices. Exploitation could cause kernel warnings, NULL pointer dereferences, and potential system crashes or reboots, leading to denial of service (DoS). In critical infrastructure sectors such as automotive manufacturing, industrial automation, and transportation, where CAN bus is widely used, this could disrupt operations and safety systems. While it does not directly lead to privilege escalation or data leakage, the resulting instability can impact availability and reliability of critical systems. Organizations relying on Linux-based embedded devices or industrial controllers with CAN interfaces are at higher risk. The lack of known exploits reduces immediate threat but patching is important to prevent future exploitation, especially in congested network environments where the bug manifests.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2020-36789 as soon as they are available from trusted Linux distributions or kernel maintainers. 2. For embedded and industrial systems, coordinate with device vendors to ensure updated firmware or kernel versions are deployed. 3. Monitor kernel logs for WARN_ON(in_irq) messages related to skb_release_head_state() as an indicator of potential triggering of this issue. 4. Limit network congestion on CAN interfaces where possible to reduce the chance of triggering the bug. 5. Implement robust system monitoring and automated recovery mechanisms to handle unexpected kernel crashes or reboots. 6. For systems where patching is delayed, consider isolating CAN-enabled devices from critical networks to reduce impact. 7. Engage with Linux kernel maintainers or security teams for guidance on backporting patches to older kernel versions if necessary.
Affected Countries
Germany, France, Italy, United Kingdom, Netherlands, Sweden, Finland
CVE-2020-36789: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: can: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard IRQ context If a driver calls can_get_echo_skb() during a hardware IRQ (which is often, but not always, the case), the 'WARN_ON(in_irq)' in net/core/skbuff.c#skb_release_head_state() might be triggered, under network congestion circumstances, together with the potential risk of a NULL pointer dereference. The root cause of this issue is the call to kfree_skb() instead of dev_kfree_skb_irq() in net/core/dev.c#enqueue_to_backlog(). This patch prevents the skb to be freed within the call to netif_rx() by incrementing its reference count with skb_get(). The skb is finally freed by one of the in-irq-context safe functions: dev_consume_skb_any() or dev_kfree_skb_any(). The "any" version is used because some drivers might call can_get_echo_skb() in a normal context. The reason for this issue to occur is that initially, in the core network stack, loopback skb were not supposed to be received in hardware IRQ context. The CAN stack is an exeption. This bug was previously reported back in 2017 in [1] but the proposed patch never got accepted. While [1] directly modifies net/core/dev.c, we try to propose here a smoother modification local to CAN network stack (the assumption behind is that only CAN devices are affected by this issue). [1] http://lore.kernel.org/r/57a3ffb6-3309-3ad5-5a34-e93c3fe3614d@cetitec.com
AI-Powered Analysis
Technical Analysis
CVE-2020-36789 is a vulnerability in the Linux kernel's Controller Area Network (CAN) subsystem related to improper handling of socket buffers (skbs) during hardware interrupt (IRQ) context. Specifically, the issue arises when the function can_get_echo_skb() is called in a hard IRQ context, which can trigger a WARN_ON(in_irq) warning in skb_release_head_state() under network congestion. The root cause is the inappropriate use of kfree_skb() to free skbs in an IRQ context instead of the IRQ-safe dev_kfree_skb_irq() function. This can lead to a NULL pointer dereference and potential kernel instability or crashes. The vulnerability stems from the fact that the CAN network stack is an exception to the original design assumption that loopback skbs are not received in hardware IRQ context. The patch to fix this issue involves incrementing the skb reference count with skb_get() to prevent premature freeing within netif_rx(), and deferring skb freeing to IRQ-safe functions dev_consume_skb_any() or dev_kfree_skb_any(). This fix is localized to the CAN network stack, as it is believed only CAN devices are affected. The vulnerability was initially reported in 2017 but was not accepted until now. There are no known exploits in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability primarily affects systems running Linux kernels with CAN network stack support, which is common in embedded systems, automotive, industrial control systems, and IoT devices. Exploitation could cause kernel warnings, NULL pointer dereferences, and potential system crashes or reboots, leading to denial of service (DoS). In critical infrastructure sectors such as automotive manufacturing, industrial automation, and transportation, where CAN bus is widely used, this could disrupt operations and safety systems. While it does not directly lead to privilege escalation or data leakage, the resulting instability can impact availability and reliability of critical systems. Organizations relying on Linux-based embedded devices or industrial controllers with CAN interfaces are at higher risk. The lack of known exploits reduces immediate threat but patching is important to prevent future exploitation, especially in congested network environments where the bug manifests.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2020-36789 as soon as they are available from trusted Linux distributions or kernel maintainers. 2. For embedded and industrial systems, coordinate with device vendors to ensure updated firmware or kernel versions are deployed. 3. Monitor kernel logs for WARN_ON(in_irq) messages related to skb_release_head_state() as an indicator of potential triggering of this issue. 4. Limit network congestion on CAN interfaces where possible to reduce the chance of triggering the bug. 5. Implement robust system monitoring and automated recovery mechanisms to handle unexpected kernel crashes or reboots. 6. For systems where patching is delayed, consider isolating CAN-enabled devices from critical networks to reduce impact. 7. Engage with Linux kernel maintainers or security teams for guidance on backporting patches to older kernel versions if necessary.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-26T17:07:27.435Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9835c4522896dcbea62c
Added to database: 5/21/2025, 9:09:09 AM
Last enriched: 6/26/2025, 10:09:51 AM
Last updated: 8/14/2025, 12:18:54 PM
Views: 14
Related Threats
CVE-2025-8978: Insufficient Verification of Data Authenticity in D-Link DIR-619L
HighCVE-2025-8946: SQL Injection in projectworlds Online Notes Sharing Platform
MediumCVE-2025-51965: n/a
UnknownCVE-2025-8976: Cross Site Scripting in givanz Vvveb
MediumCVE-2025-8980: Insufficient Verification of Data Authenticity in Tenda G1
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.