CVE-2023-52523: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Reject sk_msg egress redirects to non-TCP sockets With a SOCKMAP/SOCKHASH map and an sk_msg program user can steer messages sent from one TCP socket (s1) to actually egress from another TCP socket (s2): tcp_bpf_sendmsg(s1) // = sk_prot->sendmsg tcp_bpf_send_verdict(s1) // __SK_REDIRECT case tcp_bpf_sendmsg_redir(s2) tcp_bpf_push_locked(s2) tcp_bpf_push(s2) tcp_rate_check_app_limited(s2) // expects tcp_sock tcp_sendmsg_locked(s2) // ditto There is a hard-coded assumption in the call-chain, that the egress socket (s2) is a TCP socket. However in commit 122e6c79efe1 ("sock_map: Update sock type checks for UDP") we have enabled redirects to non-TCP sockets. This was done for the sake of BPF sk_skb programs. There was no indention to support sk_msg send-to-egress use case. As a result, attempts to send-to-egress through a non-TCP socket lead to a crash due to invalid downcast from sock to tcp_sock: BUG: kernel NULL pointer dereference, address: 000000000000002f ... Call Trace: <TASK> ? show_regs+0x60/0x70 ? __die+0x1f/0x70 ? page_fault_oops+0x80/0x160 ? do_user_addr_fault+0x2d7/0x800 ? rcu_is_watching+0x11/0x50 ? exc_page_fault+0x70/0x1c0 ? asm_exc_page_fault+0x27/0x30 ? tcp_tso_segs+0x14/0xa0 tcp_write_xmit+0x67/0xce0 __tcp_push_pending_frames+0x32/0xf0 tcp_push+0x107/0x140 tcp_sendmsg_locked+0x99f/0xbb0 tcp_bpf_push+0x19d/0x3a0 tcp_bpf_sendmsg_redir+0x55/0xd0 tcp_bpf_send_verdict+0x407/0x550 tcp_bpf_sendmsg+0x1a1/0x390 inet_sendmsg+0x6a/0x70 sock_sendmsg+0x9d/0xc0 ? sockfd_lookup_light+0x12/0x80 __sys_sendto+0x10e/0x160 ? syscall_enter_from_user_mode+0x20/0x60 ? __this_cpu_preempt_check+0x13/0x20 ? lockdep_hardirqs_on+0x82/0x110 __x64_sys_sendto+0x1f/0x30 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd Reject selecting a non-TCP sockets as redirect target from a BPF sk_msg program to prevent the crash. When attempted, user will receive an EACCES error from send/sendto/sendmsg() syscall.
AI Analysis
Technical Summary
CVE-2023-52523 is a vulnerability in the Linux kernel related to the Berkeley Packet Filter (BPF) subsystem, specifically involving the sockmap and sk_msg egress redirect functionality. The vulnerability arises from an incorrect assumption in the kernel's TCP socket handling code. The BPF sockmap/sk_msg feature allows user-space programs to redirect messages sent from one TCP socket (s1) to egress through another TCP socket (s2). The kernel code assumes that the egress socket (s2) is always a TCP socket, which is critical because the TCP-specific functions and data structures are accessed during the message send process. However, a recent kernel commit (122e6c79efe1) enabled redirects to non-TCP sockets to support BPF sk_skb programs, but this change did not intend to support sk_msg send-to-egress use cases. Consequently, if a sk_msg program attempts to redirect egress traffic to a non-TCP socket, the kernel performs an invalid downcast from a generic socket to a TCP socket, leading to a NULL pointer dereference and a kernel crash (BUG). This crash occurs due to the kernel trying to access TCP-specific fields on a non-TCP socket, causing a page fault and system instability. The patch for this vulnerability rejects attempts to redirect sk_msg egress traffic to non-TCP sockets, returning an EACCES error to the user-space send/sendto/sendmsg syscall instead of crashing the kernel. This fix prevents exploitation by enforcing socket type checks before performing the redirect. The vulnerability does not appear to have known exploits in the wild yet, but it can cause denial of service (DoS) by crashing the kernel if triggered. The issue affects Linux kernel versions that include the problematic commit and is relevant to systems using BPF sockmap/sk_msg features for advanced socket message steering.
Potential Impact
For European organizations, this vulnerability primarily presents a risk of denial of service (DoS) on Linux systems that utilize BPF sockmap/sk_msg features for network packet processing or socket message redirection. Such systems are often found in high-performance networking environments, including telecom infrastructure, cloud data centers, and advanced network appliances. A kernel crash caused by this vulnerability could disrupt critical services, leading to downtime and potential loss of availability. While the vulnerability does not directly expose confidentiality or integrity risks, the resulting system instability could impact service continuity and operational reliability. Organizations relying on Linux-based network functions virtualization (NFV), container orchestration platforms (e.g., Kubernetes nodes running Linux kernels with BPF features), or custom network monitoring and filtering solutions may be particularly affected. The lack of known exploits reduces immediate risk, but the potential for accidental or malicious triggering of the crash remains. This could be leveraged by attackers to cause service interruptions or to distract from other attack activities. Given the widespread use of Linux in European enterprise and public sector infrastructure, the impact could be significant if unpatched systems are exposed in critical network roles.
Mitigation Recommendations
1. Apply the official Linux kernel patches that reject sk_msg egress redirects to non-TCP sockets as soon as they become available for your distribution or kernel version. This is the definitive fix preventing the crash. 2. Audit and review any custom BPF programs or applications that use sockmap/sk_msg features to ensure they do not attempt to redirect messages to non-TCP sockets. 3. Implement kernel crash monitoring and alerting to detect and respond quickly to any unexpected kernel panics or oops events related to networking. 4. Restrict access to BPF program loading and socket map manipulation to trusted users and processes only, minimizing the risk of accidental or malicious triggering. 5. For environments using container orchestration or NFV, ensure that node kernels are updated promptly and that network functions are tested for compatibility with the patched kernel. 6. Consider deploying runtime security tools that monitor kernel behavior and can block or alert on suspicious BPF activity. 7. Maintain a robust incident response plan to handle potential DoS events caused by kernel crashes, including failover and redundancy strategies.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2023-52523: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Reject sk_msg egress redirects to non-TCP sockets With a SOCKMAP/SOCKHASH map and an sk_msg program user can steer messages sent from one TCP socket (s1) to actually egress from another TCP socket (s2): tcp_bpf_sendmsg(s1) // = sk_prot->sendmsg tcp_bpf_send_verdict(s1) // __SK_REDIRECT case tcp_bpf_sendmsg_redir(s2) tcp_bpf_push_locked(s2) tcp_bpf_push(s2) tcp_rate_check_app_limited(s2) // expects tcp_sock tcp_sendmsg_locked(s2) // ditto There is a hard-coded assumption in the call-chain, that the egress socket (s2) is a TCP socket. However in commit 122e6c79efe1 ("sock_map: Update sock type checks for UDP") we have enabled redirects to non-TCP sockets. This was done for the sake of BPF sk_skb programs. There was no indention to support sk_msg send-to-egress use case. As a result, attempts to send-to-egress through a non-TCP socket lead to a crash due to invalid downcast from sock to tcp_sock: BUG: kernel NULL pointer dereference, address: 000000000000002f ... Call Trace: <TASK> ? show_regs+0x60/0x70 ? __die+0x1f/0x70 ? page_fault_oops+0x80/0x160 ? do_user_addr_fault+0x2d7/0x800 ? rcu_is_watching+0x11/0x50 ? exc_page_fault+0x70/0x1c0 ? asm_exc_page_fault+0x27/0x30 ? tcp_tso_segs+0x14/0xa0 tcp_write_xmit+0x67/0xce0 __tcp_push_pending_frames+0x32/0xf0 tcp_push+0x107/0x140 tcp_sendmsg_locked+0x99f/0xbb0 tcp_bpf_push+0x19d/0x3a0 tcp_bpf_sendmsg_redir+0x55/0xd0 tcp_bpf_send_verdict+0x407/0x550 tcp_bpf_sendmsg+0x1a1/0x390 inet_sendmsg+0x6a/0x70 sock_sendmsg+0x9d/0xc0 ? sockfd_lookup_light+0x12/0x80 __sys_sendto+0x10e/0x160 ? syscall_enter_from_user_mode+0x20/0x60 ? __this_cpu_preempt_check+0x13/0x20 ? lockdep_hardirqs_on+0x82/0x110 __x64_sys_sendto+0x1f/0x30 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd Reject selecting a non-TCP sockets as redirect target from a BPF sk_msg program to prevent the crash. When attempted, user will receive an EACCES error from send/sendto/sendmsg() syscall.
AI-Powered Analysis
Technical Analysis
CVE-2023-52523 is a vulnerability in the Linux kernel related to the Berkeley Packet Filter (BPF) subsystem, specifically involving the sockmap and sk_msg egress redirect functionality. The vulnerability arises from an incorrect assumption in the kernel's TCP socket handling code. The BPF sockmap/sk_msg feature allows user-space programs to redirect messages sent from one TCP socket (s1) to egress through another TCP socket (s2). The kernel code assumes that the egress socket (s2) is always a TCP socket, which is critical because the TCP-specific functions and data structures are accessed during the message send process. However, a recent kernel commit (122e6c79efe1) enabled redirects to non-TCP sockets to support BPF sk_skb programs, but this change did not intend to support sk_msg send-to-egress use cases. Consequently, if a sk_msg program attempts to redirect egress traffic to a non-TCP socket, the kernel performs an invalid downcast from a generic socket to a TCP socket, leading to a NULL pointer dereference and a kernel crash (BUG). This crash occurs due to the kernel trying to access TCP-specific fields on a non-TCP socket, causing a page fault and system instability. The patch for this vulnerability rejects attempts to redirect sk_msg egress traffic to non-TCP sockets, returning an EACCES error to the user-space send/sendto/sendmsg syscall instead of crashing the kernel. This fix prevents exploitation by enforcing socket type checks before performing the redirect. The vulnerability does not appear to have known exploits in the wild yet, but it can cause denial of service (DoS) by crashing the kernel if triggered. The issue affects Linux kernel versions that include the problematic commit and is relevant to systems using BPF sockmap/sk_msg features for advanced socket message steering.
Potential Impact
For European organizations, this vulnerability primarily presents a risk of denial of service (DoS) on Linux systems that utilize BPF sockmap/sk_msg features for network packet processing or socket message redirection. Such systems are often found in high-performance networking environments, including telecom infrastructure, cloud data centers, and advanced network appliances. A kernel crash caused by this vulnerability could disrupt critical services, leading to downtime and potential loss of availability. While the vulnerability does not directly expose confidentiality or integrity risks, the resulting system instability could impact service continuity and operational reliability. Organizations relying on Linux-based network functions virtualization (NFV), container orchestration platforms (e.g., Kubernetes nodes running Linux kernels with BPF features), or custom network monitoring and filtering solutions may be particularly affected. The lack of known exploits reduces immediate risk, but the potential for accidental or malicious triggering of the crash remains. This could be leveraged by attackers to cause service interruptions or to distract from other attack activities. Given the widespread use of Linux in European enterprise and public sector infrastructure, the impact could be significant if unpatched systems are exposed in critical network roles.
Mitigation Recommendations
1. Apply the official Linux kernel patches that reject sk_msg egress redirects to non-TCP sockets as soon as they become available for your distribution or kernel version. This is the definitive fix preventing the crash. 2. Audit and review any custom BPF programs or applications that use sockmap/sk_msg features to ensure they do not attempt to redirect messages to non-TCP sockets. 3. Implement kernel crash monitoring and alerting to detect and respond quickly to any unexpected kernel panics or oops events related to networking. 4. Restrict access to BPF program loading and socket map manipulation to trusted users and processes only, minimizing the risk of accidental or malicious triggering. 5. For environments using container orchestration or NFV, ensure that node kernels are updated promptly and that network functions are tested for compatibility with the patched kernel. 6. Consider deploying runtime security tools that monitor kernel behavior and can block or alert on suspicious BPF activity. 7. Maintain a robust incident response plan to handle potential DoS events caused by kernel crashes, including failover and redundancy strategies.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-20T12:30:33.317Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9831c4522896dcbe7c44
Added to database: 5/21/2025, 9:09:05 AM
Last enriched: 7/1/2025, 10:11:50 AM
Last updated: 7/25/2025, 10:26:28 PM
Views: 8
Related Threats
CVE-2025-8833: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-7965: CWE-352 Cross-Site Request Forgery (CSRF) in CBX Restaurant Booking
MediumCVE-2025-8832: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-8831: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-8829: OS Command Injection in Linksys RE6250
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.