CVE-2023-52487: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix peer flow lists handling The cited change refactored mlx5e_tc_del_fdb_peer_flow() to only clear DUP flag when list of peer flows has become empty. However, if any concurrent user holds a reference to a peer flow (for example, the neighbor update workqueue task is updating peer flow's parent encap entry concurrently), then the flow will not be removed from the peer list and, consecutively, DUP flag will remain set. Since mlx5e_tc_del_fdb_peers_flow() calls mlx5e_tc_del_fdb_peer_flow() for every possible peer index the algorithm will try to remove the flow from eswitch instances that it has never peered with causing either NULL pointer dereference when trying to remove the flow peer list head of peer_index that was never initialized or a warning if the list debug config is enabled[0]. Fix the issue by always removing the peer flow from the list even when not releasing the last reference to it. [0]: [ 3102.985806] ------------[ cut here ]------------ [ 3102.986223] list_del corruption, ffff888139110698->next is NULL [ 3102.986757] WARNING: CPU: 2 PID: 22109 at lib/list_debug.c:53 __list_del_entry_valid_or_report+0x4f/0xc0 [ 3102.987561] Modules linked in: act_ct nf_flow_table bonding act_tunnel_key act_mirred act_skbedit vxlan cls_matchall nfnetlink_cttimeout act_gact cls_flower sch_ingress mlx5_vdpa vringh vhost_iotlb vdpa openvswitch nsh xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat xt_addrtype xt_conntrack nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcg ss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5_core [last unloaded: bonding] [ 3102.991113] CPU: 2 PID: 22109 Comm: revalidator28 Not tainted 6.6.0-rc6+ #3 [ 3102.991695] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 3102.992605] RIP: 0010:__list_del_entry_valid_or_report+0x4f/0xc0 [ 3102.993122] Code: 39 c2 74 56 48 8b 32 48 39 fe 75 62 48 8b 51 08 48 39 f2 75 73 b8 01 00 00 00 c3 48 89 fe 48 c7 c7 48 fd 0a 82 e8 41 0b ad ff <0f> 0b 31 c0 c3 48 89 fe 48 c7 c7 70 fd 0a 82 e8 2d 0b ad ff 0f 0b [ 3102.994615] RSP: 0018:ffff8881383e7710 EFLAGS: 00010286 [ 3102.995078] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000 [ 3102.995670] RDX: 0000000000000001 RSI: ffff88885f89b640 RDI: ffff88885f89b640 [ 3102.997188] DEL flow 00000000be367878 on port 0 [ 3102.998594] RBP: dead000000000122 R08: 0000000000000000 R09: c0000000ffffdfff [ 3102.999604] R10: 0000000000000008 R11: ffff8881383e7598 R12: dead000000000100 [ 3103.000198] R13: 0000000000000002 R14: ffff888139110000 R15: ffff888101901240 [ 3103.000790] FS: 00007f424cde4700(0000) GS:ffff88885f880000(0000) knlGS:0000000000000000 [ 3103.001486] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3103.001986] CR2: 00007fd42e8dcb70 CR3: 000000011e68a003 CR4: 0000000000370ea0 [ 3103.002596] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 3103.003190] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 3103.003787] Call Trace: [ 3103.004055] <TASK> [ 3103.004297] ? __warn+0x7d/0x130 [ 3103.004623] ? __list_del_entry_valid_or_report+0x4f/0xc0 [ 3103.005094] ? report_bug+0xf1/0x1c0 [ 3103.005439] ? console_unlock+0x4a/0xd0 [ 3103.005806] ? handle_bug+0x3f/0x70 [ 3103.006149] ? exc_invalid_op+0x13/0x60 [ 3103.006531] ? asm_exc_invalid_op+0x16/0x20 [ 3103.007430] ? __list_del_entry_valid_or_report+0x4f/0xc0 [ 3103.007910] mlx5e_tc_del_fdb_peers_flow+0xcf/0x240 [mlx5_core] [ 3103.008463] mlx5e_tc_del_flow+0x46/0x270 [mlx5_core] [ 3103.008944] mlx5e_flow_put+0x26/0x50 [mlx5_core] [ 3103.009401] mlx5e_delete_flower+0x25f/0x380 [mlx5_core] [ 3103.009901] tc_setup_cb_destroy+0xab/0x180 [ 3103.010292] fl_hw_destroy_filter+0x99/0xc0 [cls_flower] [ 3103.010779] __fl_delete+0x2d4/0x2f0 [cls_flower] [ 3103.0 ---truncated---
AI Analysis
Technical Summary
CVE-2023-52487 is a vulnerability in the Linux kernel's mlx5e driver, which handles networking for Mellanox ConnectX-5 and later network interface cards (NICs). The flaw arises from improper handling of peer flow lists within the mlx5e_tc_del_fdb_peer_flow() function. Specifically, the function was refactored to clear a DUP flag only when the list of peer flows became empty. However, if a concurrent process holds a reference to a peer flow (such as a neighbor update workqueue task updating the flow's parent encapsulation entry), the flow is not removed from the peer list, causing the DUP flag to remain set. Subsequently, mlx5e_tc_del_fdb_peers_flow(), which calls mlx5e_tc_del_fdb_peer_flow() for every possible peer index, attempts to remove flows from eswitch instances that were never peered with. This leads to either a NULL pointer dereference or a kernel warning due to list corruption, as demonstrated by the kernel log excerpts showing list_del corruption and invalid pointer dereferences. The root cause is the failure to always remove the peer flow from the list regardless of reference count, which the patch fixes by ensuring removal even when not releasing the last reference. This vulnerability can cause kernel crashes (denial of service) due to NULL pointer dereferences and list corruption in the mlx5e driver, affecting systems using Mellanox NICs with the affected Linux kernel versions. No known exploits are reported in the wild, and the vulnerability requires concurrent access to the peer flow structures, implying some level of complexity in exploitation. The issue affects Linux kernels around version 6.6.0-rc6+ and likely other versions using the vulnerable mlx5e driver code. The vulnerability does not have an assigned CVSS score but is publicly disclosed and patched.
Potential Impact
For European organizations, the impact of CVE-2023-52487 can be significant in environments relying on high-performance networking hardware from Mellanox (now part of NVIDIA), especially in data centers, cloud providers, telecommunications infrastructure, and enterprises using Linux-based servers with ConnectX-5 or newer NICs. The vulnerability can lead to kernel crashes and denial of service, disrupting critical network functions and potentially causing outages in services dependent on these systems. This is particularly impactful for sectors requiring high availability and low latency, such as financial services, telecommunications, research institutions, and cloud service providers prevalent across Europe. While the vulnerability does not appear to allow privilege escalation or remote code execution directly, the denial of service could be leveraged as part of a broader attack chain or cause operational disruptions. Given the concurrency aspect, exploitation might require local access or specific network conditions, limiting remote exploitation but not eliminating risk in multi-tenant or shared environments. The lack of known exploits reduces immediate threat but does not preclude future weaponization. Organizations with Linux infrastructure using affected NICs should prioritize patching to maintain network stability and security.
Mitigation Recommendations
1. Apply the official Linux kernel patches that fix the peer flow list handling in the mlx5e driver as soon as they become available from trusted Linux distributions or kernel sources. 2. For organizations unable to immediately patch, consider disabling or limiting the use of Mellanox ConnectX-5 or newer NICs in critical systems or isolating affected systems from untrusted networks to reduce attack surface. 3. Monitor kernel logs for signs of list corruption warnings or NULL pointer dereferences related to mlx5e, which may indicate attempted exploitation or instability. 4. Implement strict access controls and network segmentation to limit concurrent access scenarios that could trigger the vulnerability. 5. Engage with hardware and Linux vendors to confirm affected kernel versions and receive timely updates. 6. Conduct thorough testing of kernel updates in staging environments to ensure stability before deployment in production. 7. Maintain up-to-date inventory of hardware using Mellanox NICs to prioritize patching and mitigation efforts. 8. Consider deploying kernel live patching solutions where available to reduce downtime during patch application.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2023-52487: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix peer flow lists handling The cited change refactored mlx5e_tc_del_fdb_peer_flow() to only clear DUP flag when list of peer flows has become empty. However, if any concurrent user holds a reference to a peer flow (for example, the neighbor update workqueue task is updating peer flow's parent encap entry concurrently), then the flow will not be removed from the peer list and, consecutively, DUP flag will remain set. Since mlx5e_tc_del_fdb_peers_flow() calls mlx5e_tc_del_fdb_peer_flow() for every possible peer index the algorithm will try to remove the flow from eswitch instances that it has never peered with causing either NULL pointer dereference when trying to remove the flow peer list head of peer_index that was never initialized or a warning if the list debug config is enabled[0]. Fix the issue by always removing the peer flow from the list even when not releasing the last reference to it. [0]: [ 3102.985806] ------------[ cut here ]------------ [ 3102.986223] list_del corruption, ffff888139110698->next is NULL [ 3102.986757] WARNING: CPU: 2 PID: 22109 at lib/list_debug.c:53 __list_del_entry_valid_or_report+0x4f/0xc0 [ 3102.987561] Modules linked in: act_ct nf_flow_table bonding act_tunnel_key act_mirred act_skbedit vxlan cls_matchall nfnetlink_cttimeout act_gact cls_flower sch_ingress mlx5_vdpa vringh vhost_iotlb vdpa openvswitch nsh xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat xt_addrtype xt_conntrack nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcg ss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5_core [last unloaded: bonding] [ 3102.991113] CPU: 2 PID: 22109 Comm: revalidator28 Not tainted 6.6.0-rc6+ #3 [ 3102.991695] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 3102.992605] RIP: 0010:__list_del_entry_valid_or_report+0x4f/0xc0 [ 3102.993122] Code: 39 c2 74 56 48 8b 32 48 39 fe 75 62 48 8b 51 08 48 39 f2 75 73 b8 01 00 00 00 c3 48 89 fe 48 c7 c7 48 fd 0a 82 e8 41 0b ad ff <0f> 0b 31 c0 c3 48 89 fe 48 c7 c7 70 fd 0a 82 e8 2d 0b ad ff 0f 0b [ 3102.994615] RSP: 0018:ffff8881383e7710 EFLAGS: 00010286 [ 3102.995078] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000 [ 3102.995670] RDX: 0000000000000001 RSI: ffff88885f89b640 RDI: ffff88885f89b640 [ 3102.997188] DEL flow 00000000be367878 on port 0 [ 3102.998594] RBP: dead000000000122 R08: 0000000000000000 R09: c0000000ffffdfff [ 3102.999604] R10: 0000000000000008 R11: ffff8881383e7598 R12: dead000000000100 [ 3103.000198] R13: 0000000000000002 R14: ffff888139110000 R15: ffff888101901240 [ 3103.000790] FS: 00007f424cde4700(0000) GS:ffff88885f880000(0000) knlGS:0000000000000000 [ 3103.001486] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3103.001986] CR2: 00007fd42e8dcb70 CR3: 000000011e68a003 CR4: 0000000000370ea0 [ 3103.002596] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 3103.003190] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 3103.003787] Call Trace: [ 3103.004055] <TASK> [ 3103.004297] ? __warn+0x7d/0x130 [ 3103.004623] ? __list_del_entry_valid_or_report+0x4f/0xc0 [ 3103.005094] ? report_bug+0xf1/0x1c0 [ 3103.005439] ? console_unlock+0x4a/0xd0 [ 3103.005806] ? handle_bug+0x3f/0x70 [ 3103.006149] ? exc_invalid_op+0x13/0x60 [ 3103.006531] ? asm_exc_invalid_op+0x16/0x20 [ 3103.007430] ? __list_del_entry_valid_or_report+0x4f/0xc0 [ 3103.007910] mlx5e_tc_del_fdb_peers_flow+0xcf/0x240 [mlx5_core] [ 3103.008463] mlx5e_tc_del_flow+0x46/0x270 [mlx5_core] [ 3103.008944] mlx5e_flow_put+0x26/0x50 [mlx5_core] [ 3103.009401] mlx5e_delete_flower+0x25f/0x380 [mlx5_core] [ 3103.009901] tc_setup_cb_destroy+0xab/0x180 [ 3103.010292] fl_hw_destroy_filter+0x99/0xc0 [cls_flower] [ 3103.010779] __fl_delete+0x2d4/0x2f0 [cls_flower] [ 3103.0 ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2023-52487 is a vulnerability in the Linux kernel's mlx5e driver, which handles networking for Mellanox ConnectX-5 and later network interface cards (NICs). The flaw arises from improper handling of peer flow lists within the mlx5e_tc_del_fdb_peer_flow() function. Specifically, the function was refactored to clear a DUP flag only when the list of peer flows became empty. However, if a concurrent process holds a reference to a peer flow (such as a neighbor update workqueue task updating the flow's parent encapsulation entry), the flow is not removed from the peer list, causing the DUP flag to remain set. Subsequently, mlx5e_tc_del_fdb_peers_flow(), which calls mlx5e_tc_del_fdb_peer_flow() for every possible peer index, attempts to remove flows from eswitch instances that were never peered with. This leads to either a NULL pointer dereference or a kernel warning due to list corruption, as demonstrated by the kernel log excerpts showing list_del corruption and invalid pointer dereferences. The root cause is the failure to always remove the peer flow from the list regardless of reference count, which the patch fixes by ensuring removal even when not releasing the last reference. This vulnerability can cause kernel crashes (denial of service) due to NULL pointer dereferences and list corruption in the mlx5e driver, affecting systems using Mellanox NICs with the affected Linux kernel versions. No known exploits are reported in the wild, and the vulnerability requires concurrent access to the peer flow structures, implying some level of complexity in exploitation. The issue affects Linux kernels around version 6.6.0-rc6+ and likely other versions using the vulnerable mlx5e driver code. The vulnerability does not have an assigned CVSS score but is publicly disclosed and patched.
Potential Impact
For European organizations, the impact of CVE-2023-52487 can be significant in environments relying on high-performance networking hardware from Mellanox (now part of NVIDIA), especially in data centers, cloud providers, telecommunications infrastructure, and enterprises using Linux-based servers with ConnectX-5 or newer NICs. The vulnerability can lead to kernel crashes and denial of service, disrupting critical network functions and potentially causing outages in services dependent on these systems. This is particularly impactful for sectors requiring high availability and low latency, such as financial services, telecommunications, research institutions, and cloud service providers prevalent across Europe. While the vulnerability does not appear to allow privilege escalation or remote code execution directly, the denial of service could be leveraged as part of a broader attack chain or cause operational disruptions. Given the concurrency aspect, exploitation might require local access or specific network conditions, limiting remote exploitation but not eliminating risk in multi-tenant or shared environments. The lack of known exploits reduces immediate threat but does not preclude future weaponization. Organizations with Linux infrastructure using affected NICs should prioritize patching to maintain network stability and security.
Mitigation Recommendations
1. Apply the official Linux kernel patches that fix the peer flow list handling in the mlx5e driver as soon as they become available from trusted Linux distributions or kernel sources. 2. For organizations unable to immediately patch, consider disabling or limiting the use of Mellanox ConnectX-5 or newer NICs in critical systems or isolating affected systems from untrusted networks to reduce attack surface. 3. Monitor kernel logs for signs of list corruption warnings or NULL pointer dereferences related to mlx5e, which may indicate attempted exploitation or instability. 4. Implement strict access controls and network segmentation to limit concurrent access scenarios that could trigger the vulnerability. 5. Engage with hardware and Linux vendors to confirm affected kernel versions and receive timely updates. 6. Conduct thorough testing of kernel updates in staging environments to ensure stability before deployment in production. 7. Maintain up-to-date inventory of hardware using Mellanox NICs to prioritize patching and mitigation efforts. 8. Consider deploying kernel live patching solutions where available to reduce downtime during patch application.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-20T12:30:33.301Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9831c4522896dcbe7afb
Added to database: 5/21/2025, 9:09:05 AM
Last enriched: 7/1/2025, 9:39:34 AM
Last updated: 8/8/2025, 4:24:41 AM
Views: 12
Related Threats
CVE-2025-55284: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in anthropics claude-code
HighCVE-2025-55286: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer in vancluever z2d
HighCVE-2025-52621: CWE-346 Origin Validation Error in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52620: CWE-20 Improper Input Validation in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52619: CWE-209 Generation of Error Message Containing Sensitive Information in HCL Software BigFix SaaS Remediate
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.