CVE-2023-52446: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix a race condition between btf_put() and map_free() When running `./test_progs -j` in my local vm with latest kernel, I once hit a kasan error like below: [ 1887.184724] BUG: KASAN: slab-use-after-free in bpf_rb_root_free+0x1f8/0x2b0 [ 1887.185599] Read of size 4 at addr ffff888106806910 by task kworker/u12:2/2830 [ 1887.186498] [ 1887.186712] CPU: 3 PID: 2830 Comm: kworker/u12:2 Tainted: G OEL 6.7.0-rc3-00699-g90679706d486-dirty #494 [ 1887.188034] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 1887.189618] Workqueue: events_unbound bpf_map_free_deferred [ 1887.190341] Call Trace: [ 1887.190666] <TASK> [ 1887.190949] dump_stack_lvl+0xac/0xe0 [ 1887.191423] ? nf_tcp_handle_invalid+0x1b0/0x1b0 [ 1887.192019] ? panic+0x3c0/0x3c0 [ 1887.192449] print_report+0x14f/0x720 [ 1887.192930] ? preempt_count_sub+0x1c/0xd0 [ 1887.193459] ? __virt_addr_valid+0xac/0x120 [ 1887.194004] ? bpf_rb_root_free+0x1f8/0x2b0 [ 1887.194572] kasan_report+0xc3/0x100 [ 1887.195085] ? bpf_rb_root_free+0x1f8/0x2b0 [ 1887.195668] bpf_rb_root_free+0x1f8/0x2b0 [ 1887.196183] ? __bpf_obj_drop_impl+0xb0/0xb0 [ 1887.196736] ? preempt_count_sub+0x1c/0xd0 [ 1887.197270] ? preempt_count_sub+0x1c/0xd0 [ 1887.197802] ? _raw_spin_unlock+0x1f/0x40 [ 1887.198319] bpf_obj_free_fields+0x1d4/0x260 [ 1887.198883] array_map_free+0x1a3/0x260 [ 1887.199380] bpf_map_free_deferred+0x7b/0xe0 [ 1887.199943] process_scheduled_works+0x3a2/0x6c0 [ 1887.200549] worker_thread+0x633/0x890 [ 1887.201047] ? __kthread_parkme+0xd7/0xf0 [ 1887.201574] ? kthread+0x102/0x1d0 [ 1887.202020] kthread+0x1ab/0x1d0 [ 1887.202447] ? pr_cont_work+0x270/0x270 [ 1887.202954] ? kthread_blkcg+0x50/0x50 [ 1887.203444] ret_from_fork+0x34/0x50 [ 1887.203914] ? kthread_blkcg+0x50/0x50 [ 1887.204397] ret_from_fork_asm+0x11/0x20 [ 1887.204913] </TASK> [ 1887.204913] </TASK> [ 1887.205209] [ 1887.205416] Allocated by task 2197: [ 1887.205881] kasan_set_track+0x3f/0x60 [ 1887.206366] __kasan_kmalloc+0x6e/0x80 [ 1887.206856] __kmalloc+0xac/0x1a0 [ 1887.207293] btf_parse_fields+0xa15/0x1480 [ 1887.207836] btf_parse_struct_metas+0x566/0x670 [ 1887.208387] btf_new_fd+0x294/0x4d0 [ 1887.208851] __sys_bpf+0x4ba/0x600 [ 1887.209292] __x64_sys_bpf+0x41/0x50 [ 1887.209762] do_syscall_64+0x4c/0xf0 [ 1887.210222] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 1887.210868] [ 1887.211074] Freed by task 36: [ 1887.211460] kasan_set_track+0x3f/0x60 [ 1887.211951] kasan_save_free_info+0x28/0x40 [ 1887.212485] ____kasan_slab_free+0x101/0x180 [ 1887.213027] __kmem_cache_free+0xe4/0x210 [ 1887.213514] btf_free+0x5b/0x130 [ 1887.213918] rcu_core+0x638/0xcc0 [ 1887.214347] __do_softirq+0x114/0x37e The error happens at bpf_rb_root_free+0x1f8/0x2b0: 00000000000034c0 <bpf_rb_root_free>: ; { 34c0: f3 0f 1e fa endbr64 34c4: e8 00 00 00 00 callq 0x34c9 <bpf_rb_root_free+0x9> 34c9: 55 pushq %rbp 34ca: 48 89 e5 movq %rsp, %rbp ... ; if (rec && rec->refcount_off >= 0 && 36aa: 4d 85 ed testq %r13, %r13 36ad: 74 a9 je 0x3658 <bpf_rb_root_free+0x198> 36af: 49 8d 7d 10 leaq 0x10(%r13), %rdi 36b3: e8 00 00 00 00 callq 0x36b8 <bpf_rb_root_free+0x1f8> <==== kasan function 36b8: 45 8b 7d 10 movl 0x10(%r13), %r15d <==== use-after-free load 36bc: 45 85 ff testl %r15d, %r15d 36bf: 78 8c js 0x364d <bpf_rb_root_free+0x18d> So the problem ---truncated---
AI Analysis
Technical Summary
CVE-2023-52446 is a high-severity vulnerability in the Linux kernel related to the Berkeley Packet Filter (BPF) subsystem, specifically involving a race condition between the functions btf_put() and map_free(). The vulnerability manifests as a use-after-free (CWE-416) condition within the kernel's BPF map management code. This flaw was identified through kernel address sanitizer (KASAN) reports showing slab-use-after-free errors during execution of BPF test programs. The root cause is a race condition where a BPF map's reference counting and freeing operations are not properly synchronized, leading to the kernel attempting to access memory that has already been freed. The detailed kernel stack traces and disassembly excerpts indicate that the error occurs in the bpf_rb_root_free() function, where a freed object is accessed, causing memory corruption and potential kernel crashes. The vulnerability affects specific Linux kernel versions identified by commit hashes and was publicly disclosed on February 22, 2024. The CVSS v3.1 score is 7.8 (high), reflecting local attack vector with low complexity, requiring low privileges but no user interaction, and impacting confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the nature of the flaw allows for potential privilege escalation or denial of service attacks if exploited. This vulnerability is critical for systems relying on BPF for networking, security, or observability functions, as exploitation could compromise kernel stability or security guarantees. The fix involves proper synchronization and reference counting in the BPF map freeing logic to eliminate the race condition and prevent use-after-free errors.
Potential Impact
For European organizations, this vulnerability poses significant risks, especially for enterprises and service providers running Linux-based infrastructure with BPF-enabled kernels. BPF is widely used in modern Linux distributions for advanced networking, firewalling, and performance monitoring, making this vulnerability relevant across cloud providers, telecom operators, financial institutions, and critical infrastructure sectors. Exploitation could lead to kernel crashes causing denial of service, or potentially privilege escalation allowing attackers to gain kernel-level control, threatening confidentiality and integrity of sensitive data. Given the prevalence of Linux in server environments and embedded systems, the impact could extend to industrial control systems and IoT devices used in European manufacturing and utilities. The vulnerability's local attack vector means that attackers need some level of access, but this could be achieved through compromised user accounts or container escapes, which are common attack vectors in enterprise environments. The high severity rating underscores the need for urgent mitigation to prevent disruption of services and potential data breaches within European organizations.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch for CVE-2023-52446 as soon as vendors release them. Until patches are available, organizations should restrict access to systems running vulnerable kernels, especially limiting unprivileged user access and container workloads that could trigger BPF map operations. Employing kernel lockdown features and mandatory access controls (e.g., SELinux, AppArmor) can reduce the risk of local privilege escalation. Monitoring kernel logs for KASAN or use-after-free related errors can help detect attempted exploitation. Network segmentation and strict user privilege management will limit attacker movement in case of partial compromise. Additionally, organizations should review and harden container and virtualization environments to prevent untrusted code from invoking BPF operations. Coordinating with Linux distribution vendors and applying security advisories promptly is critical. Finally, conducting penetration testing and vulnerability scanning focused on kernel vulnerabilities can help identify exposure and validate mitigations.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2023-52446: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix a race condition between btf_put() and map_free() When running `./test_progs -j` in my local vm with latest kernel, I once hit a kasan error like below: [ 1887.184724] BUG: KASAN: slab-use-after-free in bpf_rb_root_free+0x1f8/0x2b0 [ 1887.185599] Read of size 4 at addr ffff888106806910 by task kworker/u12:2/2830 [ 1887.186498] [ 1887.186712] CPU: 3 PID: 2830 Comm: kworker/u12:2 Tainted: G OEL 6.7.0-rc3-00699-g90679706d486-dirty #494 [ 1887.188034] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 1887.189618] Workqueue: events_unbound bpf_map_free_deferred [ 1887.190341] Call Trace: [ 1887.190666] <TASK> [ 1887.190949] dump_stack_lvl+0xac/0xe0 [ 1887.191423] ? nf_tcp_handle_invalid+0x1b0/0x1b0 [ 1887.192019] ? panic+0x3c0/0x3c0 [ 1887.192449] print_report+0x14f/0x720 [ 1887.192930] ? preempt_count_sub+0x1c/0xd0 [ 1887.193459] ? __virt_addr_valid+0xac/0x120 [ 1887.194004] ? bpf_rb_root_free+0x1f8/0x2b0 [ 1887.194572] kasan_report+0xc3/0x100 [ 1887.195085] ? bpf_rb_root_free+0x1f8/0x2b0 [ 1887.195668] bpf_rb_root_free+0x1f8/0x2b0 [ 1887.196183] ? __bpf_obj_drop_impl+0xb0/0xb0 [ 1887.196736] ? preempt_count_sub+0x1c/0xd0 [ 1887.197270] ? preempt_count_sub+0x1c/0xd0 [ 1887.197802] ? _raw_spin_unlock+0x1f/0x40 [ 1887.198319] bpf_obj_free_fields+0x1d4/0x260 [ 1887.198883] array_map_free+0x1a3/0x260 [ 1887.199380] bpf_map_free_deferred+0x7b/0xe0 [ 1887.199943] process_scheduled_works+0x3a2/0x6c0 [ 1887.200549] worker_thread+0x633/0x890 [ 1887.201047] ? __kthread_parkme+0xd7/0xf0 [ 1887.201574] ? kthread+0x102/0x1d0 [ 1887.202020] kthread+0x1ab/0x1d0 [ 1887.202447] ? pr_cont_work+0x270/0x270 [ 1887.202954] ? kthread_blkcg+0x50/0x50 [ 1887.203444] ret_from_fork+0x34/0x50 [ 1887.203914] ? kthread_blkcg+0x50/0x50 [ 1887.204397] ret_from_fork_asm+0x11/0x20 [ 1887.204913] </TASK> [ 1887.204913] </TASK> [ 1887.205209] [ 1887.205416] Allocated by task 2197: [ 1887.205881] kasan_set_track+0x3f/0x60 [ 1887.206366] __kasan_kmalloc+0x6e/0x80 [ 1887.206856] __kmalloc+0xac/0x1a0 [ 1887.207293] btf_parse_fields+0xa15/0x1480 [ 1887.207836] btf_parse_struct_metas+0x566/0x670 [ 1887.208387] btf_new_fd+0x294/0x4d0 [ 1887.208851] __sys_bpf+0x4ba/0x600 [ 1887.209292] __x64_sys_bpf+0x41/0x50 [ 1887.209762] do_syscall_64+0x4c/0xf0 [ 1887.210222] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 1887.210868] [ 1887.211074] Freed by task 36: [ 1887.211460] kasan_set_track+0x3f/0x60 [ 1887.211951] kasan_save_free_info+0x28/0x40 [ 1887.212485] ____kasan_slab_free+0x101/0x180 [ 1887.213027] __kmem_cache_free+0xe4/0x210 [ 1887.213514] btf_free+0x5b/0x130 [ 1887.213918] rcu_core+0x638/0xcc0 [ 1887.214347] __do_softirq+0x114/0x37e The error happens at bpf_rb_root_free+0x1f8/0x2b0: 00000000000034c0 <bpf_rb_root_free>: ; { 34c0: f3 0f 1e fa endbr64 34c4: e8 00 00 00 00 callq 0x34c9 <bpf_rb_root_free+0x9> 34c9: 55 pushq %rbp 34ca: 48 89 e5 movq %rsp, %rbp ... ; if (rec && rec->refcount_off >= 0 && 36aa: 4d 85 ed testq %r13, %r13 36ad: 74 a9 je 0x3658 <bpf_rb_root_free+0x198> 36af: 49 8d 7d 10 leaq 0x10(%r13), %rdi 36b3: e8 00 00 00 00 callq 0x36b8 <bpf_rb_root_free+0x1f8> <==== kasan function 36b8: 45 8b 7d 10 movl 0x10(%r13), %r15d <==== use-after-free load 36bc: 45 85 ff testl %r15d, %r15d 36bf: 78 8c js 0x364d <bpf_rb_root_free+0x18d> So the problem ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2023-52446 is a high-severity vulnerability in the Linux kernel related to the Berkeley Packet Filter (BPF) subsystem, specifically involving a race condition between the functions btf_put() and map_free(). The vulnerability manifests as a use-after-free (CWE-416) condition within the kernel's BPF map management code. This flaw was identified through kernel address sanitizer (KASAN) reports showing slab-use-after-free errors during execution of BPF test programs. The root cause is a race condition where a BPF map's reference counting and freeing operations are not properly synchronized, leading to the kernel attempting to access memory that has already been freed. The detailed kernel stack traces and disassembly excerpts indicate that the error occurs in the bpf_rb_root_free() function, where a freed object is accessed, causing memory corruption and potential kernel crashes. The vulnerability affects specific Linux kernel versions identified by commit hashes and was publicly disclosed on February 22, 2024. The CVSS v3.1 score is 7.8 (high), reflecting local attack vector with low complexity, requiring low privileges but no user interaction, and impacting confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the nature of the flaw allows for potential privilege escalation or denial of service attacks if exploited. This vulnerability is critical for systems relying on BPF for networking, security, or observability functions, as exploitation could compromise kernel stability or security guarantees. The fix involves proper synchronization and reference counting in the BPF map freeing logic to eliminate the race condition and prevent use-after-free errors.
Potential Impact
For European organizations, this vulnerability poses significant risks, especially for enterprises and service providers running Linux-based infrastructure with BPF-enabled kernels. BPF is widely used in modern Linux distributions for advanced networking, firewalling, and performance monitoring, making this vulnerability relevant across cloud providers, telecom operators, financial institutions, and critical infrastructure sectors. Exploitation could lead to kernel crashes causing denial of service, or potentially privilege escalation allowing attackers to gain kernel-level control, threatening confidentiality and integrity of sensitive data. Given the prevalence of Linux in server environments and embedded systems, the impact could extend to industrial control systems and IoT devices used in European manufacturing and utilities. The vulnerability's local attack vector means that attackers need some level of access, but this could be achieved through compromised user accounts or container escapes, which are common attack vectors in enterprise environments. The high severity rating underscores the need for urgent mitigation to prevent disruption of services and potential data breaches within European organizations.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch for CVE-2023-52446 as soon as vendors release them. Until patches are available, organizations should restrict access to systems running vulnerable kernels, especially limiting unprivileged user access and container workloads that could trigger BPF map operations. Employing kernel lockdown features and mandatory access controls (e.g., SELinux, AppArmor) can reduce the risk of local privilege escalation. Monitoring kernel logs for KASAN or use-after-free related errors can help detect attempted exploitation. Network segmentation and strict user privilege management will limit attacker movement in case of partial compromise. Additionally, organizations should review and harden container and virtualization environments to prevent untrusted code from invoking BPF operations. Coordinating with Linux distribution vendors and applying security advisories promptly is critical. Finally, conducting penetration testing and vulnerability scanning focused on kernel vulnerabilities can help identify exposure and validate mitigations.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-20T12:30:33.291Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9831c4522896dcbe79a0
Added to database: 5/21/2025, 9:09:05 AM
Last enriched: 7/3/2025, 4:12:39 AM
Last updated: 8/13/2025, 5:14:22 AM
Views: 17
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.