CVE-2023-52572: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: cifs: Fix UAF in cifs_demultiplex_thread() There is a UAF when xfstests on cifs: BUG: KASAN: use-after-free in smb2_is_network_name_deleted+0x27/0x160 Read of size 4 at addr ffff88810103fc08 by task cifsd/923 CPU: 1 PID: 923 Comm: cifsd Not tainted 6.1.0-rc4+ #45 ... Call Trace: <TASK> dump_stack_lvl+0x34/0x44 print_report+0x171/0x472 kasan_report+0xad/0x130 kasan_check_range+0x145/0x1a0 smb2_is_network_name_deleted+0x27/0x160 cifs_demultiplex_thread.cold+0x172/0x5a4 kthread+0x165/0x1a0 ret_from_fork+0x1f/0x30 </TASK> Allocated by task 923: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_slab_alloc+0x54/0x60 kmem_cache_alloc+0x147/0x320 mempool_alloc+0xe1/0x260 cifs_small_buf_get+0x24/0x60 allocate_buffers+0xa1/0x1c0 cifs_demultiplex_thread+0x199/0x10d0 kthread+0x165/0x1a0 ret_from_fork+0x1f/0x30 Freed by task 921: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x2a/0x40 ____kasan_slab_free+0x143/0x1b0 kmem_cache_free+0xe3/0x4d0 cifs_small_buf_release+0x29/0x90 SMB2_negotiate+0x8b7/0x1c60 smb2_negotiate+0x51/0x70 cifs_negotiate_protocol+0xf0/0x160 cifs_get_smb_ses+0x5fa/0x13c0 mount_get_conns+0x7a/0x750 cifs_mount+0x103/0xd00 cifs_smb3_do_mount+0x1dd/0xcb0 smb3_get_tree+0x1d5/0x300 vfs_get_tree+0x41/0xf0 path_mount+0x9b3/0xdd0 __x64_sys_mount+0x190/0x1d0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 The UAF is because: mount(pid: 921) | cifsd(pid: 923) -------------------------------|------------------------------- | cifs_demultiplex_thread SMB2_negotiate | cifs_send_recv | compound_send_recv | smb_send_rqst | wait_for_response | wait_event_state [1] | | standard_receive3 | cifs_handle_standard | handle_mid | mid->resp_buf = buf; [2] | dequeue_mid [3] KILL the process [4] | resp_iov[i].iov_base = buf | free_rsp_buf [5] | | is_network_name_deleted [6] | callback 1. After send request to server, wait the response until mid->mid_state != SUBMITTED; 2. Receive response from server, and set it to mid; 3. Set the mid state to RECEIVED; 4. Kill the process, the mid state already RECEIVED, get 0; 5. Handle and release the negotiate response; 6. UAF. It can be easily reproduce with add some delay in [3] - [6]. Only sync call has the problem since async call's callback is executed in cifsd process. Add an extra state to mark the mid state to READY before wakeup the waitter, then it can get the resp safely.
AI Analysis
Technical Summary
CVE-2023-52572 is a use-after-free (UAF) vulnerability identified in the Linux kernel's CIFS (Common Internet File System) client implementation, specifically within the cifs_demultiplex_thread() function. The vulnerability arises during synchronous SMB2 protocol operations when handling network responses. The root cause is a race condition between two kernel threads: one handling the SMB2 negotiate protocol and another demultiplexing CIFS responses. The vulnerability occurs when a synchronous call waits for a response, receives it, and sets the response buffer pointer, but before the waiting thread processes the response, the process handling the negotiate response is killed. This leads to premature freeing of the response buffer while the demultiplex thread still holds a reference, resulting in a use-after-free condition. The kernel's Kernel Address Sanitizer (KASAN) detected this issue during xfstests, confirming the invalid memory access. The vulnerability is triggered only in synchronous calls because asynchronous callbacks execute in the cifsd process context, avoiding this race. The fix involves introducing an additional state to mark the mid (message ID) state as READY before waking the waiting thread, ensuring safe access to the response buffer and preventing premature freeing. This vulnerability affects Linux kernel versions around 6.1.0-rc4 and likely other versions using the affected CIFS code. Exploitation requires triggering SMB2 negotiate operations and manipulating process lifecycles to induce the race, which may be complex but feasible in environments using CIFS mounts. No known exploits are reported in the wild yet, but the vulnerability poses a risk of kernel memory corruption, potentially leading to system crashes or privilege escalation.
Potential Impact
For European organizations, this vulnerability presents a significant risk particularly to environments relying on Linux servers with CIFS mounts for file sharing, common in enterprise and cloud infrastructures. Exploitation could lead to kernel memory corruption causing denial of service (system crashes) or potentially privilege escalation, allowing attackers to gain elevated access on critical systems. This could disrupt business operations, compromise sensitive data confidentiality and integrity, and impact availability of shared resources. Organizations using CIFS for network file systems, especially in sectors like finance, manufacturing, and government where Linux servers are prevalent, may face increased risk. The vulnerability's exploitation complexity and requirement for local process manipulation somewhat limit remote exploitation, but insider threats or compromised accounts could leverage this flaw. Additionally, the vulnerability could be chained with other exploits to gain broader system control. The lack of a public exploit currently reduces immediate risk but patching is critical to prevent future attacks.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2023-52572 as soon as they become available from trusted sources or Linux distributions. 2. Temporarily disable or avoid using CIFS mounts on vulnerable Linux systems if patching is delayed, especially for critical servers. 3. Monitor kernel logs for KASAN alerts or unusual crashes related to CIFS operations to detect potential exploitation attempts. 4. Implement strict process and user account controls to limit the ability of untrusted users to spawn or kill processes involved in CIFS operations. 5. Employ kernel hardening techniques such as SELinux or AppArmor profiles to restrict CIFS daemon capabilities. 6. Regularly update Linux kernel and related packages to incorporate security fixes. 7. Conduct internal audits of CIFS usage and assess exposure to SMB2 negotiate operations to prioritize patching and mitigation efforts. 8. Use network segmentation to isolate CIFS servers from untrusted networks to reduce attack surface.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2023-52572: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: cifs: Fix UAF in cifs_demultiplex_thread() There is a UAF when xfstests on cifs: BUG: KASAN: use-after-free in smb2_is_network_name_deleted+0x27/0x160 Read of size 4 at addr ffff88810103fc08 by task cifsd/923 CPU: 1 PID: 923 Comm: cifsd Not tainted 6.1.0-rc4+ #45 ... Call Trace: <TASK> dump_stack_lvl+0x34/0x44 print_report+0x171/0x472 kasan_report+0xad/0x130 kasan_check_range+0x145/0x1a0 smb2_is_network_name_deleted+0x27/0x160 cifs_demultiplex_thread.cold+0x172/0x5a4 kthread+0x165/0x1a0 ret_from_fork+0x1f/0x30 </TASK> Allocated by task 923: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_slab_alloc+0x54/0x60 kmem_cache_alloc+0x147/0x320 mempool_alloc+0xe1/0x260 cifs_small_buf_get+0x24/0x60 allocate_buffers+0xa1/0x1c0 cifs_demultiplex_thread+0x199/0x10d0 kthread+0x165/0x1a0 ret_from_fork+0x1f/0x30 Freed by task 921: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x2a/0x40 ____kasan_slab_free+0x143/0x1b0 kmem_cache_free+0xe3/0x4d0 cifs_small_buf_release+0x29/0x90 SMB2_negotiate+0x8b7/0x1c60 smb2_negotiate+0x51/0x70 cifs_negotiate_protocol+0xf0/0x160 cifs_get_smb_ses+0x5fa/0x13c0 mount_get_conns+0x7a/0x750 cifs_mount+0x103/0xd00 cifs_smb3_do_mount+0x1dd/0xcb0 smb3_get_tree+0x1d5/0x300 vfs_get_tree+0x41/0xf0 path_mount+0x9b3/0xdd0 __x64_sys_mount+0x190/0x1d0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 The UAF is because: mount(pid: 921) | cifsd(pid: 923) -------------------------------|------------------------------- | cifs_demultiplex_thread SMB2_negotiate | cifs_send_recv | compound_send_recv | smb_send_rqst | wait_for_response | wait_event_state [1] | | standard_receive3 | cifs_handle_standard | handle_mid | mid->resp_buf = buf; [2] | dequeue_mid [3] KILL the process [4] | resp_iov[i].iov_base = buf | free_rsp_buf [5] | | is_network_name_deleted [6] | callback 1. After send request to server, wait the response until mid->mid_state != SUBMITTED; 2. Receive response from server, and set it to mid; 3. Set the mid state to RECEIVED; 4. Kill the process, the mid state already RECEIVED, get 0; 5. Handle and release the negotiate response; 6. UAF. It can be easily reproduce with add some delay in [3] - [6]. Only sync call has the problem since async call's callback is executed in cifsd process. Add an extra state to mark the mid state to READY before wakeup the waitter, then it can get the resp safely.
AI-Powered Analysis
Technical Analysis
CVE-2023-52572 is a use-after-free (UAF) vulnerability identified in the Linux kernel's CIFS (Common Internet File System) client implementation, specifically within the cifs_demultiplex_thread() function. The vulnerability arises during synchronous SMB2 protocol operations when handling network responses. The root cause is a race condition between two kernel threads: one handling the SMB2 negotiate protocol and another demultiplexing CIFS responses. The vulnerability occurs when a synchronous call waits for a response, receives it, and sets the response buffer pointer, but before the waiting thread processes the response, the process handling the negotiate response is killed. This leads to premature freeing of the response buffer while the demultiplex thread still holds a reference, resulting in a use-after-free condition. The kernel's Kernel Address Sanitizer (KASAN) detected this issue during xfstests, confirming the invalid memory access. The vulnerability is triggered only in synchronous calls because asynchronous callbacks execute in the cifsd process context, avoiding this race. The fix involves introducing an additional state to mark the mid (message ID) state as READY before waking the waiting thread, ensuring safe access to the response buffer and preventing premature freeing. This vulnerability affects Linux kernel versions around 6.1.0-rc4 and likely other versions using the affected CIFS code. Exploitation requires triggering SMB2 negotiate operations and manipulating process lifecycles to induce the race, which may be complex but feasible in environments using CIFS mounts. No known exploits are reported in the wild yet, but the vulnerability poses a risk of kernel memory corruption, potentially leading to system crashes or privilege escalation.
Potential Impact
For European organizations, this vulnerability presents a significant risk particularly to environments relying on Linux servers with CIFS mounts for file sharing, common in enterprise and cloud infrastructures. Exploitation could lead to kernel memory corruption causing denial of service (system crashes) or potentially privilege escalation, allowing attackers to gain elevated access on critical systems. This could disrupt business operations, compromise sensitive data confidentiality and integrity, and impact availability of shared resources. Organizations using CIFS for network file systems, especially in sectors like finance, manufacturing, and government where Linux servers are prevalent, may face increased risk. The vulnerability's exploitation complexity and requirement for local process manipulation somewhat limit remote exploitation, but insider threats or compromised accounts could leverage this flaw. Additionally, the vulnerability could be chained with other exploits to gain broader system control. The lack of a public exploit currently reduces immediate risk but patching is critical to prevent future attacks.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2023-52572 as soon as they become available from trusted sources or Linux distributions. 2. Temporarily disable or avoid using CIFS mounts on vulnerable Linux systems if patching is delayed, especially for critical servers. 3. Monitor kernel logs for KASAN alerts or unusual crashes related to CIFS operations to detect potential exploitation attempts. 4. Implement strict process and user account controls to limit the ability of untrusted users to spawn or kill processes involved in CIFS operations. 5. Employ kernel hardening techniques such as SELinux or AppArmor profiles to restrict CIFS daemon capabilities. 6. Regularly update Linux kernel and related packages to incorporate security fixes. 7. Conduct internal audits of CIFS usage and assess exposure to SMB2 negotiate operations to prioritize patching and mitigation efforts. 8. Use network segmentation to isolate CIFS servers from untrusted networks to reduce attack surface.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-03-02T21:55:42.567Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9831c4522896dcbe7cc8
Added to database: 5/21/2025, 9:09:05 AM
Last enriched: 7/1/2025, 10:25:56 AM
Last updated: 8/15/2025, 11:46:52 AM
Views: 16
Related Threats
CVE-2025-55284: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in anthropics claude-code
HighCVE-2025-55286: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer in vancluever z2d
HighCVE-2025-52621: CWE-346 Origin Validation Error in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52620: CWE-20 Improper Input Validation in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52619: CWE-209 Generation of Error Message Containing Sensitive Information in HCL Software BigFix SaaS Remediate
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.