CVE-2023-52463: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: efivarfs: force RO when remounting if SetVariable is not supported If SetVariable at runtime is not supported by the firmware we never assign a callback for that function. At the same time mount the efivarfs as RO so no one can call that. However, we never check the permission flags when someone remounts the filesystem as RW. As a result this leads to a crash looking like this: $ mount -o remount,rw /sys/firmware/efi/efivars $ efi-updatevar -f PK.auth PK [ 303.279166] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 303.280482] Mem abort info: [ 303.280854] ESR = 0x0000000086000004 [ 303.281338] EC = 0x21: IABT (current EL), IL = 32 bits [ 303.282016] SET = 0, FnV = 0 [ 303.282414] EA = 0, S1PTW = 0 [ 303.282821] FSC = 0x04: level 0 translation fault [ 303.283771] user pgtable: 4k pages, 48-bit VAs, pgdp=000000004258c000 [ 303.284913] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 [ 303.286076] Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP [ 303.286936] Modules linked in: qrtr tpm_tis tpm_tis_core crct10dif_ce arm_smccc_trng rng_core drm fuse ip_tables x_tables ipv6 [ 303.288586] CPU: 1 PID: 755 Comm: efi-updatevar Not tainted 6.3.0-rc1-00108-gc7d0c4695c68 #1 [ 303.289748] Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.04-00627-g88336918701d 04/01/2023 [ 303.291150] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 303.292123] pc : 0x0 [ 303.292443] lr : efivar_set_variable_locked+0x74/0xec [ 303.293156] sp : ffff800008673c10 [ 303.293619] x29: ffff800008673c10 x28: ffff0000037e8000 x27: 0000000000000000 [ 303.294592] x26: 0000000000000800 x25: ffff000002467400 x24: 0000000000000027 [ 303.295572] x23: ffffd49ea9832000 x22: ffff0000020c9800 x21: ffff000002467000 [ 303.296566] x20: 0000000000000001 x19: 00000000000007fc x18: 0000000000000000 [ 303.297531] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaaac807ab54 [ 303.298495] x14: ed37489f673633c0 x13: 71c45c606de13f80 x12: 47464259e219acf4 [ 303.299453] x11: ffff000002af7b01 x10: 0000000000000003 x9 : 0000000000000002 [ 303.300431] x8 : 0000000000000010 x7 : ffffd49ea8973230 x6 : 0000000000a85201 [ 303.301412] x5 : 0000000000000000 x4 : ffff0000020c9800 x3 : 00000000000007fc [ 303.302370] x2 : 0000000000000027 x1 : ffff000002467400 x0 : ffff000002467000 [ 303.303341] Call trace: [ 303.303679] 0x0 [ 303.303938] efivar_entry_set_get_size+0x98/0x16c [ 303.304585] efivarfs_file_write+0xd0/0x1a4 [ 303.305148] vfs_write+0xc4/0x2e4 [ 303.305601] ksys_write+0x70/0x104 [ 303.306073] __arm64_sys_write+0x1c/0x28 [ 303.306622] invoke_syscall+0x48/0x114 [ 303.307156] el0_svc_common.constprop.0+0x44/0xec [ 303.307803] do_el0_svc+0x38/0x98 [ 303.308268] el0_svc+0x2c/0x84 [ 303.308702] el0t_64_sync_handler+0xf4/0x120 [ 303.309293] el0t_64_sync+0x190/0x194 [ 303.309794] Code: ???????? ???????? ???????? ???????? (????????) [ 303.310612] ---[ end trace 0000000000000000 ]--- Fix this by adding a .reconfigure() function to the fs operations which we can use to check the requested flags and deny anything that's not RO if the firmware doesn't implement SetVariable at runtime.
AI Analysis
Technical Summary
CVE-2023-52463 is a vulnerability in the Linux kernel's efivarfs filesystem, which is responsible for interfacing with EFI variables stored in firmware. The vulnerability arises because when the firmware does not support the SetVariable function at runtime, the efivarfs is mounted as read-only (RO) to prevent modification attempts. However, the kernel does not properly enforce this read-only restriction when the filesystem is remounted, allowing it to be remounted as read-write (RW) despite the lack of SetVariable support. This improper permission check leads to a NULL pointer dereference and a kernel crash (kernel oops) when an attempt is made to write to efivarfs, as demonstrated by the crash logs involving the efi-updatevar utility. The root cause is that the kernel does not verify the mount flags during remount operations, permitting unsafe RW remounts. The fix involves adding a .reconfigure() function to the filesystem operations to check requested mount flags and deny any remount attempts that are not RO if the firmware lacks runtime SetVariable support. This vulnerability can cause denial of service (DoS) by crashing the kernel, potentially impacting system stability and availability. It affects Linux kernel versions containing the vulnerable efivarfs implementation, particularly those prior to the patch that enforces proper mount flag checks during remounts.
Potential Impact
For European organizations, this vulnerability poses a risk primarily of denial of service due to kernel crashes triggered by improper remounting of efivarfs. Systems relying on EFI variables and running vulnerable Linux kernel versions could experience unexpected reboots or downtime if an attacker or misconfigured process attempts to remount efivarfs as read-write when the firmware does not support SetVariable at runtime. This could disrupt critical services, especially in environments using Linux servers for infrastructure, cloud services, or embedded systems. While exploitation requires local access to attempt remounting efivarfs, the impact on availability could be significant in sensitive or high-availability environments. Confidentiality and integrity impacts are minimal since the vulnerability leads to a crash rather than arbitrary code execution or privilege escalation. However, repeated crashes could be leveraged as part of a broader attack to degrade system reliability or availability.
Mitigation Recommendations
1. Apply the latest Linux kernel updates that include the patch for CVE-2023-52463 to ensure the .reconfigure() function properly enforces read-only remount restrictions on efivarfs when SetVariable is unsupported. 2. Restrict local user permissions to prevent unauthorized remounting of efivarfs. Only trusted administrators should have the capability to remount system filesystems. 3. Monitor system logs for attempts to remount efivarfs as read-write and investigate any such events promptly. 4. For critical systems, implement kernel crash monitoring and automated recovery mechanisms to minimize downtime in case of unexpected kernel oops. 5. In environments where firmware does not support runtime SetVariable, consider disabling or limiting use of efivarfs where feasible to reduce attack surface. 6. Conduct regular firmware and kernel compatibility audits to ensure that kernel features align with firmware capabilities, preventing misconfigurations that could trigger this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2023-52463: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: efivarfs: force RO when remounting if SetVariable is not supported If SetVariable at runtime is not supported by the firmware we never assign a callback for that function. At the same time mount the efivarfs as RO so no one can call that. However, we never check the permission flags when someone remounts the filesystem as RW. As a result this leads to a crash looking like this: $ mount -o remount,rw /sys/firmware/efi/efivars $ efi-updatevar -f PK.auth PK [ 303.279166] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 303.280482] Mem abort info: [ 303.280854] ESR = 0x0000000086000004 [ 303.281338] EC = 0x21: IABT (current EL), IL = 32 bits [ 303.282016] SET = 0, FnV = 0 [ 303.282414] EA = 0, S1PTW = 0 [ 303.282821] FSC = 0x04: level 0 translation fault [ 303.283771] user pgtable: 4k pages, 48-bit VAs, pgdp=000000004258c000 [ 303.284913] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 [ 303.286076] Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP [ 303.286936] Modules linked in: qrtr tpm_tis tpm_tis_core crct10dif_ce arm_smccc_trng rng_core drm fuse ip_tables x_tables ipv6 [ 303.288586] CPU: 1 PID: 755 Comm: efi-updatevar Not tainted 6.3.0-rc1-00108-gc7d0c4695c68 #1 [ 303.289748] Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.04-00627-g88336918701d 04/01/2023 [ 303.291150] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 303.292123] pc : 0x0 [ 303.292443] lr : efivar_set_variable_locked+0x74/0xec [ 303.293156] sp : ffff800008673c10 [ 303.293619] x29: ffff800008673c10 x28: ffff0000037e8000 x27: 0000000000000000 [ 303.294592] x26: 0000000000000800 x25: ffff000002467400 x24: 0000000000000027 [ 303.295572] x23: ffffd49ea9832000 x22: ffff0000020c9800 x21: ffff000002467000 [ 303.296566] x20: 0000000000000001 x19: 00000000000007fc x18: 0000000000000000 [ 303.297531] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaaac807ab54 [ 303.298495] x14: ed37489f673633c0 x13: 71c45c606de13f80 x12: 47464259e219acf4 [ 303.299453] x11: ffff000002af7b01 x10: 0000000000000003 x9 : 0000000000000002 [ 303.300431] x8 : 0000000000000010 x7 : ffffd49ea8973230 x6 : 0000000000a85201 [ 303.301412] x5 : 0000000000000000 x4 : ffff0000020c9800 x3 : 00000000000007fc [ 303.302370] x2 : 0000000000000027 x1 : ffff000002467400 x0 : ffff000002467000 [ 303.303341] Call trace: [ 303.303679] 0x0 [ 303.303938] efivar_entry_set_get_size+0x98/0x16c [ 303.304585] efivarfs_file_write+0xd0/0x1a4 [ 303.305148] vfs_write+0xc4/0x2e4 [ 303.305601] ksys_write+0x70/0x104 [ 303.306073] __arm64_sys_write+0x1c/0x28 [ 303.306622] invoke_syscall+0x48/0x114 [ 303.307156] el0_svc_common.constprop.0+0x44/0xec [ 303.307803] do_el0_svc+0x38/0x98 [ 303.308268] el0_svc+0x2c/0x84 [ 303.308702] el0t_64_sync_handler+0xf4/0x120 [ 303.309293] el0t_64_sync+0x190/0x194 [ 303.309794] Code: ???????? ???????? ???????? ???????? (????????) [ 303.310612] ---[ end trace 0000000000000000 ]--- Fix this by adding a .reconfigure() function to the fs operations which we can use to check the requested flags and deny anything that's not RO if the firmware doesn't implement SetVariable at runtime.
AI-Powered Analysis
Technical Analysis
CVE-2023-52463 is a vulnerability in the Linux kernel's efivarfs filesystem, which is responsible for interfacing with EFI variables stored in firmware. The vulnerability arises because when the firmware does not support the SetVariable function at runtime, the efivarfs is mounted as read-only (RO) to prevent modification attempts. However, the kernel does not properly enforce this read-only restriction when the filesystem is remounted, allowing it to be remounted as read-write (RW) despite the lack of SetVariable support. This improper permission check leads to a NULL pointer dereference and a kernel crash (kernel oops) when an attempt is made to write to efivarfs, as demonstrated by the crash logs involving the efi-updatevar utility. The root cause is that the kernel does not verify the mount flags during remount operations, permitting unsafe RW remounts. The fix involves adding a .reconfigure() function to the filesystem operations to check requested mount flags and deny any remount attempts that are not RO if the firmware lacks runtime SetVariable support. This vulnerability can cause denial of service (DoS) by crashing the kernel, potentially impacting system stability and availability. It affects Linux kernel versions containing the vulnerable efivarfs implementation, particularly those prior to the patch that enforces proper mount flag checks during remounts.
Potential Impact
For European organizations, this vulnerability poses a risk primarily of denial of service due to kernel crashes triggered by improper remounting of efivarfs. Systems relying on EFI variables and running vulnerable Linux kernel versions could experience unexpected reboots or downtime if an attacker or misconfigured process attempts to remount efivarfs as read-write when the firmware does not support SetVariable at runtime. This could disrupt critical services, especially in environments using Linux servers for infrastructure, cloud services, or embedded systems. While exploitation requires local access to attempt remounting efivarfs, the impact on availability could be significant in sensitive or high-availability environments. Confidentiality and integrity impacts are minimal since the vulnerability leads to a crash rather than arbitrary code execution or privilege escalation. However, repeated crashes could be leveraged as part of a broader attack to degrade system reliability or availability.
Mitigation Recommendations
1. Apply the latest Linux kernel updates that include the patch for CVE-2023-52463 to ensure the .reconfigure() function properly enforces read-only remount restrictions on efivarfs when SetVariable is unsupported. 2. Restrict local user permissions to prevent unauthorized remounting of efivarfs. Only trusted administrators should have the capability to remount system filesystems. 3. Monitor system logs for attempts to remount efivarfs as read-write and investigate any such events promptly. 4. For critical systems, implement kernel crash monitoring and automated recovery mechanisms to minimize downtime in case of unexpected kernel oops. 5. In environments where firmware does not support runtime SetVariable, consider disabling or limiting use of efivarfs where feasible to reduce attack surface. 6. Conduct regular firmware and kernel compatibility audits to ensure that kernel features align with firmware capabilities, preventing misconfigurations that could trigger this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-20T12:30:33.296Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9821c4522896dcbdd7b4
Added to database: 5/21/2025, 9:08:49 AM
Last enriched: 6/28/2025, 1:24:48 AM
Last updated: 8/14/2025, 1:55:06 AM
Views: 12
Related Threats
CVE-2025-9102: Improper Export of Android Application Components in 1&1 Mail & Media mail.com App
MediumCVE-2025-9101: Cross Site Scripting in zhenfeng13 My-Blog
MediumCVE-2025-9100: Authentication Bypass by Capture-replay in zhenfeng13 My-Blog
MediumCVE-2025-9099: Unrestricted Upload in Acrel Environmental Monitoring Cloud Platform
MediumCVE-2025-9098: Improper Export of Android Application Components in Elseplus File Recovery App
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.