CVE-2023-52577: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: dccp: fix dccp_v4_err()/dccp_v6_err() again dh->dccph_x is the 9th byte (offset 8) in "struct dccp_hdr", not in the "byte 7" as Jann claimed. We need to make sure the ICMP messages are big enough, using more standard ways (no more assumptions). syzbot reported: BUG: KMSAN: uninit-value in pskb_may_pull_reason include/linux/skbuff.h:2667 [inline] BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2681 [inline] BUG: KMSAN: uninit-value in dccp_v6_err+0x426/0x1aa0 net/dccp/ipv6.c:94 pskb_may_pull_reason include/linux/skbuff.h:2667 [inline] pskb_may_pull include/linux/skbuff.h:2681 [inline] dccp_v6_err+0x426/0x1aa0 net/dccp/ipv6.c:94 icmpv6_notify+0x4c7/0x880 net/ipv6/icmp.c:867 icmpv6_rcv+0x19d5/0x30d0 ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438 ip6_input_finish net/ipv6/ip6_input.c:483 [inline] NF_HOOK include/linux/netfilter.h:304 [inline] ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492 ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586 dst_input include/net/dst.h:468 [inline] ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79 NF_HOOK include/linux/netfilter.h:304 [inline] ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core net/core/dev.c:5523 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5637 netif_receive_skb_internal net/core/dev.c:5723 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5782 tun_rx_batched+0x83b/0x920 tun_get_user+0x564c/0x6940 drivers/net/tun.c:2002 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:1985 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x8ef/0x15c0 fs/read_write.c:584 ksys_write+0x20f/0x4c0 fs/read_write.c:637 __do_sys_write fs/read_write.c:649 [inline] __se_sys_write fs/read_write.c:646 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:646 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Uninit was created at: slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:559 __alloc_skb+0x318/0x740 net/core/skbuff.c:650 alloc_skb include/linux/skbuff.h:1286 [inline] alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6313 sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2795 tun_alloc_skb drivers/net/tun.c:1531 [inline] tun_get_user+0x23cf/0x6940 drivers/net/tun.c:1846 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:1985 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x8ef/0x15c0 fs/read_write.c:584 ksys_write+0x20f/0x4c0 fs/read_write.c:637 __do_sys_write fs/read_write.c:649 [inline] __se_sys_write fs/read_write.c:646 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:646 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd CPU: 0 PID: 4995 Comm: syz-executor153 Not tainted 6.6.0-rc1-syzkaller-00014-ga747acc0b752 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
AI Analysis
Technical Summary
CVE-2023-52577 is a vulnerability identified in the Linux kernel's implementation of the Datagram Congestion Control Protocol (DCCP), specifically in the error handling functions dccp_v4_err() and dccp_v6_err(). The issue arises from incorrect assumptions about the structure offsets within the DCCP header, where the field dccph_x was mistakenly considered to be at byte 7 instead of byte 8. This miscalculation led to improper handling of Internet Control Message Protocol (ICMP) messages, potentially causing the kernel to process insufficiently sized ICMP packets. The vulnerability was detected through kernel memory sanitizer (KMSAN) reports indicating uninitialized value usage in the network stack, particularly within the sk_buff (socket buffer) handling code. The uninitialized memory usage can lead to undefined behavior, including potential information leakage or kernel crashes. The vulnerability affects multiple Linux kernel versions as indicated by the various commit hashes listed. The flaw is rooted in the network subsystem, involving IPv4 and IPv6 DCCP error processing paths, and impacts the kernel's ability to safely parse and respond to malformed or malicious ICMP packets. Although no known exploits are reported in the wild, the vulnerability could be leveraged by an attacker capable of sending crafted ICMP packets to trigger uninitialized memory reads or kernel faults. The issue was reported by syzbot, an automated kernel fuzzing tool, and fixed by ensuring proper validation of ICMP message sizes and correcting the offset assumptions in the DCCP header parsing logic. The vulnerability does not require authentication but does require network access to the affected system's DCCP services or interfaces that process ICMP messages. The lack of a CVSS score necessitates an expert severity assessment based on the technical details.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions that utilize DCCP, which is often used in specialized network applications requiring congestion control, such as multimedia streaming or telephony over IP. Exploitation could lead to kernel crashes (denial of service) or potential information leakage through uninitialized memory reads, undermining system stability and confidentiality. Critical infrastructure, telecommunications providers, and enterprises relying on Linux-based network appliances or servers could be affected, potentially disrupting services or exposing sensitive data. Given the kernel-level nature of the flaw, successful exploitation could allow attackers to escalate privileges or cause system instability, impacting availability and integrity. The threat is heightened in environments with exposed network interfaces or where ICMP traffic is not adequately filtered. European organizations with stringent uptime and data protection requirements may face operational and compliance risks if vulnerable systems are exploited.
Mitigation Recommendations
1. Immediate application of the official Linux kernel patches that correct the DCCP header offset and improve ICMP message size validation is essential. Organizations should track kernel updates from their Linux distribution vendors and deploy security updates promptly. 2. Network administrators should implement strict ingress and egress filtering to limit ICMP traffic to trusted sources, reducing the attack surface. 3. Disable DCCP protocol support on systems where it is not required to eliminate exposure. 4. Employ kernel hardening techniques such as enabling Kernel Address Sanitizer (KASAN) and Kernel Memory Sanitizer (KMSAN) in testing environments to detect similar issues proactively. 5. Monitor network traffic for anomalous ICMP packets that could indicate exploitation attempts. 6. For critical systems, consider deploying intrusion detection/prevention systems (IDS/IPS) capable of recognizing malformed ICMP or DCCP packets. 7. Conduct regular vulnerability assessments and penetration testing focusing on network protocol handling to identify residual risks.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2023-52577: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: dccp: fix dccp_v4_err()/dccp_v6_err() again dh->dccph_x is the 9th byte (offset 8) in "struct dccp_hdr", not in the "byte 7" as Jann claimed. We need to make sure the ICMP messages are big enough, using more standard ways (no more assumptions). syzbot reported: BUG: KMSAN: uninit-value in pskb_may_pull_reason include/linux/skbuff.h:2667 [inline] BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2681 [inline] BUG: KMSAN: uninit-value in dccp_v6_err+0x426/0x1aa0 net/dccp/ipv6.c:94 pskb_may_pull_reason include/linux/skbuff.h:2667 [inline] pskb_may_pull include/linux/skbuff.h:2681 [inline] dccp_v6_err+0x426/0x1aa0 net/dccp/ipv6.c:94 icmpv6_notify+0x4c7/0x880 net/ipv6/icmp.c:867 icmpv6_rcv+0x19d5/0x30d0 ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438 ip6_input_finish net/ipv6/ip6_input.c:483 [inline] NF_HOOK include/linux/netfilter.h:304 [inline] ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492 ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586 dst_input include/net/dst.h:468 [inline] ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79 NF_HOOK include/linux/netfilter.h:304 [inline] ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core net/core/dev.c:5523 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5637 netif_receive_skb_internal net/core/dev.c:5723 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5782 tun_rx_batched+0x83b/0x920 tun_get_user+0x564c/0x6940 drivers/net/tun.c:2002 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:1985 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x8ef/0x15c0 fs/read_write.c:584 ksys_write+0x20f/0x4c0 fs/read_write.c:637 __do_sys_write fs/read_write.c:649 [inline] __se_sys_write fs/read_write.c:646 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:646 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Uninit was created at: slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:559 __alloc_skb+0x318/0x740 net/core/skbuff.c:650 alloc_skb include/linux/skbuff.h:1286 [inline] alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6313 sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2795 tun_alloc_skb drivers/net/tun.c:1531 [inline] tun_get_user+0x23cf/0x6940 drivers/net/tun.c:1846 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:1985 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x8ef/0x15c0 fs/read_write.c:584 ksys_write+0x20f/0x4c0 fs/read_write.c:637 __do_sys_write fs/read_write.c:649 [inline] __se_sys_write fs/read_write.c:646 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:646 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd CPU: 0 PID: 4995 Comm: syz-executor153 Not tainted 6.6.0-rc1-syzkaller-00014-ga747acc0b752 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
AI-Powered Analysis
Technical Analysis
CVE-2023-52577 is a vulnerability identified in the Linux kernel's implementation of the Datagram Congestion Control Protocol (DCCP), specifically in the error handling functions dccp_v4_err() and dccp_v6_err(). The issue arises from incorrect assumptions about the structure offsets within the DCCP header, where the field dccph_x was mistakenly considered to be at byte 7 instead of byte 8. This miscalculation led to improper handling of Internet Control Message Protocol (ICMP) messages, potentially causing the kernel to process insufficiently sized ICMP packets. The vulnerability was detected through kernel memory sanitizer (KMSAN) reports indicating uninitialized value usage in the network stack, particularly within the sk_buff (socket buffer) handling code. The uninitialized memory usage can lead to undefined behavior, including potential information leakage or kernel crashes. The vulnerability affects multiple Linux kernel versions as indicated by the various commit hashes listed. The flaw is rooted in the network subsystem, involving IPv4 and IPv6 DCCP error processing paths, and impacts the kernel's ability to safely parse and respond to malformed or malicious ICMP packets. Although no known exploits are reported in the wild, the vulnerability could be leveraged by an attacker capable of sending crafted ICMP packets to trigger uninitialized memory reads or kernel faults. The issue was reported by syzbot, an automated kernel fuzzing tool, and fixed by ensuring proper validation of ICMP message sizes and correcting the offset assumptions in the DCCP header parsing logic. The vulnerability does not require authentication but does require network access to the affected system's DCCP services or interfaces that process ICMP messages. The lack of a CVSS score necessitates an expert severity assessment based on the technical details.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions that utilize DCCP, which is often used in specialized network applications requiring congestion control, such as multimedia streaming or telephony over IP. Exploitation could lead to kernel crashes (denial of service) or potential information leakage through uninitialized memory reads, undermining system stability and confidentiality. Critical infrastructure, telecommunications providers, and enterprises relying on Linux-based network appliances or servers could be affected, potentially disrupting services or exposing sensitive data. Given the kernel-level nature of the flaw, successful exploitation could allow attackers to escalate privileges or cause system instability, impacting availability and integrity. The threat is heightened in environments with exposed network interfaces or where ICMP traffic is not adequately filtered. European organizations with stringent uptime and data protection requirements may face operational and compliance risks if vulnerable systems are exploited.
Mitigation Recommendations
1. Immediate application of the official Linux kernel patches that correct the DCCP header offset and improve ICMP message size validation is essential. Organizations should track kernel updates from their Linux distribution vendors and deploy security updates promptly. 2. Network administrators should implement strict ingress and egress filtering to limit ICMP traffic to trusted sources, reducing the attack surface. 3. Disable DCCP protocol support on systems where it is not required to eliminate exposure. 4. Employ kernel hardening techniques such as enabling Kernel Address Sanitizer (KASAN) and Kernel Memory Sanitizer (KMSAN) in testing environments to detect similar issues proactively. 5. Monitor network traffic for anomalous ICMP packets that could indicate exploitation attempts. 6. For critical systems, consider deploying intrusion detection/prevention systems (IDS/IPS) capable of recognizing malformed ICMP or DCCP packets. 7. Conduct regular vulnerability assessments and penetration testing focusing on network protocol handling to identify residual risks.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-03-02T21:55:42.568Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9821c4522896dcbdd7fb
Added to database: 5/21/2025, 9:08:49 AM
Last enriched: 6/28/2025, 1:26:39 AM
Last updated: 8/8/2025, 4:22:43 PM
Views: 12
Related Threats
CVE-2025-8854: CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') in bulletphysics bullet3
HighCVE-2025-8830: OS Command Injection in Linksys RE6250
MediumCVE-2025-54878: CWE-122: Heap-based Buffer Overflow in nasa CryptoLib
HighResearchers Spot Surge in Erlang/OTP SSH RCE Exploits, 70% Target OT Firewalls
HighCVE-2025-40920: CWE-340 Generation of Predictable Numbers or Identifiers in ETHER Catalyst::Authentication::Credential::HTTP
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.