CVE-2023-52637: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: can: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER) Lock jsk->sk to prevent UAF when setsockopt(..., SO_J1939_FILTER, ...) modifies jsk->filters while receiving packets. Following trace was seen on affected system: ================================================================== BUG: KASAN: slab-use-after-free in j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939] Read of size 4 at addr ffff888012144014 by task j1939/350 CPU: 0 PID: 350 Comm: j1939 Tainted: G W OE 6.5.0-rc5 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: print_report+0xd3/0x620 ? kasan_complete_mode_report_info+0x7d/0x200 ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939] kasan_report+0xc2/0x100 ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939] __asan_load4+0x84/0xb0 j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939] j1939_sk_recv+0x20b/0x320 [can_j1939] ? __kasan_check_write+0x18/0x20 ? __pfx_j1939_sk_recv+0x10/0x10 [can_j1939] ? j1939_simple_recv+0x69/0x280 [can_j1939] ? j1939_ac_recv+0x5e/0x310 [can_j1939] j1939_can_recv+0x43f/0x580 [can_j1939] ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939] ? raw_rcv+0x42/0x3c0 [can_raw] ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939] can_rcv_filter+0x11f/0x350 [can] can_receive+0x12f/0x190 [can] ? __pfx_can_rcv+0x10/0x10 [can] can_rcv+0xdd/0x130 [can] ? __pfx_can_rcv+0x10/0x10 [can] __netif_receive_skb_one_core+0x13d/0x150 ? __pfx___netif_receive_skb_one_core+0x10/0x10 ? __kasan_check_write+0x18/0x20 ? _raw_spin_lock_irq+0x8c/0xe0 __netif_receive_skb+0x23/0xb0 process_backlog+0x107/0x260 __napi_poll+0x69/0x310 net_rx_action+0x2a1/0x580 ? __pfx_net_rx_action+0x10/0x10 ? __pfx__raw_spin_lock+0x10/0x10 ? handle_irq_event+0x7d/0xa0 __do_softirq+0xf3/0x3f8 do_softirq+0x53/0x80 </IRQ> <TASK> __local_bh_enable_ip+0x6e/0x70 netif_rx+0x16b/0x180 can_send+0x32b/0x520 [can] ? __pfx_can_send+0x10/0x10 [can] ? __check_object_size+0x299/0x410 raw_sendmsg+0x572/0x6d0 [can_raw] ? __pfx_raw_sendmsg+0x10/0x10 [can_raw] ? apparmor_socket_sendmsg+0x2f/0x40 ? __pfx_raw_sendmsg+0x10/0x10 [can_raw] sock_sendmsg+0xef/0x100 sock_write_iter+0x162/0x220 ? __pfx_sock_write_iter+0x10/0x10 ? __rtnl_unlock+0x47/0x80 ? security_file_permission+0x54/0x320 vfs_write+0x6ba/0x750 ? __pfx_vfs_write+0x10/0x10 ? __fget_light+0x1ca/0x1f0 ? __rcu_read_unlock+0x5b/0x280 ksys_write+0x143/0x170 ? __pfx_ksys_write+0x10/0x10 ? __kasan_check_read+0x15/0x20 ? fpregs_assert_state_consistent+0x62/0x70 __x64_sys_write+0x47/0x60 do_syscall_64+0x60/0x90 ? do_syscall_64+0x6d/0x90 ? irqentry_exit+0x3f/0x50 ? exc_page_fault+0x79/0xf0 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Allocated by task 348: kasan_save_stack+0x2a/0x50 kasan_set_track+0x29/0x40 kasan_save_alloc_info+0x1f/0x30 __kasan_kmalloc+0xb5/0xc0 __kmalloc_node_track_caller+0x67/0x160 j1939_sk_setsockopt+0x284/0x450 [can_j1939] __sys_setsockopt+0x15c/0x2f0 __x64_sys_setsockopt+0x6b/0x80 do_syscall_64+0x60/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Freed by task 349: kasan_save_stack+0x2a/0x50 kasan_set_track+0x29/0x40 kasan_save_free_info+0x2f/0x50 __kasan_slab_free+0x12e/0x1c0 __kmem_cache_free+0x1b9/0x380 kfree+0x7a/0x120 j1939_sk_setsockopt+0x3b2/0x450 [can_j1939] __sys_setsockopt+0x15c/0x2f0 __x64_sys_setsockopt+0x6b/0x80 do_syscall_64+0x60/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8
AI Analysis
Technical Summary
CVE-2023-52637 is a use-after-free (UAF) vulnerability identified in the Linux kernel's Controller Area Network (CAN) subsystem, specifically within the J1939 protocol implementation. The vulnerability occurs in the function j1939_sk_match_filter during the handling of setsockopt calls with the SO_J1939_FILTER option. The root cause is a race condition where the socket's filter list (jsk->filters) is modified concurrently while packets are being received, leading to a use-after-free scenario. This is due to the lack of proper locking around the socket structure (jsk->sk) when modifying filters, allowing the kernel to access freed memory. The vulnerability was detected by Kernel Address Sanitizer (KASAN), which reported slab-use-after-free errors during packet reception. Exploitation of this flaw could lead to kernel memory corruption, potentially causing system crashes (denial of service) or enabling privilege escalation if an attacker can manipulate kernel memory. The vulnerability affects Linux kernel versions prior to the patch that introduced locking to prevent concurrent modification of filters. The affected versions are identified by specific git commit hashes, indicating this is a recent and targeted fix. No public exploits are known at this time, and the vulnerability was published on April 3, 2024. The vulnerability requires the ability to invoke setsockopt with SO_J1939_FILTER and to send/receive CAN J1939 packets, which typically requires local access or control over CAN network interfaces. The J1939 protocol is used primarily in automotive and industrial control systems for communication over CAN buses, which are common in embedded and specialized Linux deployments rather than general-purpose desktop or server environments.
Potential Impact
For European organizations, the impact of CVE-2023-52637 depends largely on their use of Linux systems with CAN J1939 protocol support. Industries such as automotive manufacturing, transportation, heavy machinery, and industrial automation in Europe often deploy embedded Linux systems with CAN bus interfaces for vehicle and equipment control. Exploitation of this vulnerability could allow attackers with local access to cause kernel crashes, leading to denial of service in critical control systems. More severely, if exploited for privilege escalation, attackers could gain kernel-level control, compromising system integrity and potentially enabling further lateral movement or sabotage. Given the specialized nature of the J1939 protocol, typical IT infrastructure (e.g., web servers, office desktops) is unlikely to be affected. However, organizations involved in automotive supply chains, industrial control systems, or critical infrastructure that rely on embedded Linux with CAN support could face operational disruptions or safety risks. The lack of known exploits reduces immediate risk, but the vulnerability's presence in kernel code used in embedded devices means that patching and mitigation are critical to prevent future targeted attacks. Additionally, the vulnerability could be leveraged in supply chain attacks targeting embedded Linux devices manufactured or maintained in Europe.
Mitigation Recommendations
1. Apply the official Linux kernel patches that introduce locking around jsk->sk to prevent concurrent modification of filters, as soon as they become available in your kernel distribution. 2. For embedded devices or systems using custom kernels, backport the fix from the upstream Linux kernel to ensure protection. 3. Restrict access to CAN network interfaces and limit the ability to invoke setsockopt with SO_J1939_FILTER to trusted users only, minimizing the attack surface. 4. Implement strict access controls and monitoring on systems with CAN J1939 support to detect anomalous setsockopt calls or unusual CAN traffic patterns. 5. Where possible, isolate embedded Linux devices with CAN interfaces from general IT networks to reduce risk of remote exploitation. 6. Conduct thorough testing of updated kernels in controlled environments before deployment to ensure stability and compatibility with CAN-dependent applications. 7. Maintain an inventory of devices using CAN J1939 protocol and ensure timely updates as part of patch management processes. 8. Engage with device vendors and suppliers to confirm that they have applied the fix in their Linux kernel versions and firmware releases.
Affected Countries
Germany, France, Italy, Spain, United Kingdom, Netherlands, Sweden, Poland, Belgium, Czech Republic
CVE-2023-52637: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: can: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER) Lock jsk->sk to prevent UAF when setsockopt(..., SO_J1939_FILTER, ...) modifies jsk->filters while receiving packets. Following trace was seen on affected system: ================================================================== BUG: KASAN: slab-use-after-free in j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939] Read of size 4 at addr ffff888012144014 by task j1939/350 CPU: 0 PID: 350 Comm: j1939 Tainted: G W OE 6.5.0-rc5 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: print_report+0xd3/0x620 ? kasan_complete_mode_report_info+0x7d/0x200 ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939] kasan_report+0xc2/0x100 ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939] __asan_load4+0x84/0xb0 j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939] j1939_sk_recv+0x20b/0x320 [can_j1939] ? __kasan_check_write+0x18/0x20 ? __pfx_j1939_sk_recv+0x10/0x10 [can_j1939] ? j1939_simple_recv+0x69/0x280 [can_j1939] ? j1939_ac_recv+0x5e/0x310 [can_j1939] j1939_can_recv+0x43f/0x580 [can_j1939] ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939] ? raw_rcv+0x42/0x3c0 [can_raw] ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939] can_rcv_filter+0x11f/0x350 [can] can_receive+0x12f/0x190 [can] ? __pfx_can_rcv+0x10/0x10 [can] can_rcv+0xdd/0x130 [can] ? __pfx_can_rcv+0x10/0x10 [can] __netif_receive_skb_one_core+0x13d/0x150 ? __pfx___netif_receive_skb_one_core+0x10/0x10 ? __kasan_check_write+0x18/0x20 ? _raw_spin_lock_irq+0x8c/0xe0 __netif_receive_skb+0x23/0xb0 process_backlog+0x107/0x260 __napi_poll+0x69/0x310 net_rx_action+0x2a1/0x580 ? __pfx_net_rx_action+0x10/0x10 ? __pfx__raw_spin_lock+0x10/0x10 ? handle_irq_event+0x7d/0xa0 __do_softirq+0xf3/0x3f8 do_softirq+0x53/0x80 </IRQ> <TASK> __local_bh_enable_ip+0x6e/0x70 netif_rx+0x16b/0x180 can_send+0x32b/0x520 [can] ? __pfx_can_send+0x10/0x10 [can] ? __check_object_size+0x299/0x410 raw_sendmsg+0x572/0x6d0 [can_raw] ? __pfx_raw_sendmsg+0x10/0x10 [can_raw] ? apparmor_socket_sendmsg+0x2f/0x40 ? __pfx_raw_sendmsg+0x10/0x10 [can_raw] sock_sendmsg+0xef/0x100 sock_write_iter+0x162/0x220 ? __pfx_sock_write_iter+0x10/0x10 ? __rtnl_unlock+0x47/0x80 ? security_file_permission+0x54/0x320 vfs_write+0x6ba/0x750 ? __pfx_vfs_write+0x10/0x10 ? __fget_light+0x1ca/0x1f0 ? __rcu_read_unlock+0x5b/0x280 ksys_write+0x143/0x170 ? __pfx_ksys_write+0x10/0x10 ? __kasan_check_read+0x15/0x20 ? fpregs_assert_state_consistent+0x62/0x70 __x64_sys_write+0x47/0x60 do_syscall_64+0x60/0x90 ? do_syscall_64+0x6d/0x90 ? irqentry_exit+0x3f/0x50 ? exc_page_fault+0x79/0xf0 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Allocated by task 348: kasan_save_stack+0x2a/0x50 kasan_set_track+0x29/0x40 kasan_save_alloc_info+0x1f/0x30 __kasan_kmalloc+0xb5/0xc0 __kmalloc_node_track_caller+0x67/0x160 j1939_sk_setsockopt+0x284/0x450 [can_j1939] __sys_setsockopt+0x15c/0x2f0 __x64_sys_setsockopt+0x6b/0x80 do_syscall_64+0x60/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Freed by task 349: kasan_save_stack+0x2a/0x50 kasan_set_track+0x29/0x40 kasan_save_free_info+0x2f/0x50 __kasan_slab_free+0x12e/0x1c0 __kmem_cache_free+0x1b9/0x380 kfree+0x7a/0x120 j1939_sk_setsockopt+0x3b2/0x450 [can_j1939] __sys_setsockopt+0x15c/0x2f0 __x64_sys_setsockopt+0x6b/0x80 do_syscall_64+0x60/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8
AI-Powered Analysis
Technical Analysis
CVE-2023-52637 is a use-after-free (UAF) vulnerability identified in the Linux kernel's Controller Area Network (CAN) subsystem, specifically within the J1939 protocol implementation. The vulnerability occurs in the function j1939_sk_match_filter during the handling of setsockopt calls with the SO_J1939_FILTER option. The root cause is a race condition where the socket's filter list (jsk->filters) is modified concurrently while packets are being received, leading to a use-after-free scenario. This is due to the lack of proper locking around the socket structure (jsk->sk) when modifying filters, allowing the kernel to access freed memory. The vulnerability was detected by Kernel Address Sanitizer (KASAN), which reported slab-use-after-free errors during packet reception. Exploitation of this flaw could lead to kernel memory corruption, potentially causing system crashes (denial of service) or enabling privilege escalation if an attacker can manipulate kernel memory. The vulnerability affects Linux kernel versions prior to the patch that introduced locking to prevent concurrent modification of filters. The affected versions are identified by specific git commit hashes, indicating this is a recent and targeted fix. No public exploits are known at this time, and the vulnerability was published on April 3, 2024. The vulnerability requires the ability to invoke setsockopt with SO_J1939_FILTER and to send/receive CAN J1939 packets, which typically requires local access or control over CAN network interfaces. The J1939 protocol is used primarily in automotive and industrial control systems for communication over CAN buses, which are common in embedded and specialized Linux deployments rather than general-purpose desktop or server environments.
Potential Impact
For European organizations, the impact of CVE-2023-52637 depends largely on their use of Linux systems with CAN J1939 protocol support. Industries such as automotive manufacturing, transportation, heavy machinery, and industrial automation in Europe often deploy embedded Linux systems with CAN bus interfaces for vehicle and equipment control. Exploitation of this vulnerability could allow attackers with local access to cause kernel crashes, leading to denial of service in critical control systems. More severely, if exploited for privilege escalation, attackers could gain kernel-level control, compromising system integrity and potentially enabling further lateral movement or sabotage. Given the specialized nature of the J1939 protocol, typical IT infrastructure (e.g., web servers, office desktops) is unlikely to be affected. However, organizations involved in automotive supply chains, industrial control systems, or critical infrastructure that rely on embedded Linux with CAN support could face operational disruptions or safety risks. The lack of known exploits reduces immediate risk, but the vulnerability's presence in kernel code used in embedded devices means that patching and mitigation are critical to prevent future targeted attacks. Additionally, the vulnerability could be leveraged in supply chain attacks targeting embedded Linux devices manufactured or maintained in Europe.
Mitigation Recommendations
1. Apply the official Linux kernel patches that introduce locking around jsk->sk to prevent concurrent modification of filters, as soon as they become available in your kernel distribution. 2. For embedded devices or systems using custom kernels, backport the fix from the upstream Linux kernel to ensure protection. 3. Restrict access to CAN network interfaces and limit the ability to invoke setsockopt with SO_J1939_FILTER to trusted users only, minimizing the attack surface. 4. Implement strict access controls and monitoring on systems with CAN J1939 support to detect anomalous setsockopt calls or unusual CAN traffic patterns. 5. Where possible, isolate embedded Linux devices with CAN interfaces from general IT networks to reduce risk of remote exploitation. 6. Conduct thorough testing of updated kernels in controlled environments before deployment to ensure stability and compatibility with CAN-dependent applications. 7. Maintain an inventory of devices using CAN J1939 protocol and ensure timely updates as part of patch management processes. 8. Engage with device vendors and suppliers to confirm that they have applied the fix in their Linux kernel versions and firmware releases.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-03-06T09:52:12.093Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9830c4522896dcbe7185
Added to database: 5/21/2025, 9:09:04 AM
Last enriched: 7/1/2025, 5:10:12 AM
Last updated: 8/15/2025, 1:58:00 PM
Views: 16
Related Threats
CVE-2025-8719: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in reubenthiessen Translate This gTranslate Shortcode
MediumCVE-2025-8464: CWE-23 Relative Path Traversal in glenwpcoder Drag and Drop Multiple File Upload for Contact Form 7
MediumCVE-2025-7499: CWE-862 Missing Authorization in wpdevteam BetterDocs – Advanced AI-Driven Documentation, FAQ & Knowledge Base Tool for Elementor & Gutenberg with Encyclopedia, AI Support, Instant Answers
MediumCVE-2025-8898: CWE-862 Missing Authorization in magepeopleteam E-cab Taxi Booking Manager for Woocommerce
CriticalCVE-2025-8896: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in cozmoslabs User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.