CVE-2023-52701: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: use a bounce buffer for copying skb->mark syzbot found arm64 builds would crash in sock_recv_mark() when CONFIG_HARDENED_USERCOPY=y x86 and powerpc are not detecting the issue because they define user_access_begin. This will be handled in a different patch, because a check_object_size() is missing. Only data from skb->cb[] can be copied directly to/from user space, as explained in commit 79a8a642bf05 ("net: Whitelist the skbuff_head_cache "cb" field") syzbot report was: usercopy: Kernel memory exposure attempt detected from SLUB object 'skbuff_head_cache' (offset 168, size 4)! ------------[ cut here ]------------ kernel BUG at mm/usercopy.c:102 ! Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 4410 Comm: syz-executor533 Not tainted 6.2.0-rc7-syzkaller-17907-g2d3827b3f393 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : usercopy_abort+0x90/0x94 mm/usercopy.c:90 lr : usercopy_abort+0x90/0x94 mm/usercopy.c:90 sp : ffff80000fb9b9a0 x29: ffff80000fb9b9b0 x28: ffff0000c6073400 x27: 0000000020001a00 x26: 0000000000000014 x25: ffff80000cf52000 x24: fffffc0000000000 x23: 05ffc00000000200 x22: fffffc000324bf80 x21: ffff0000c92fe1a8 x20: 0000000000000001 x19: 0000000000000004 x18: 0000000000000000 x17: 656a626f2042554c x16: ffff0000c6073dd0 x15: ffff80000dbd2118 x14: ffff0000c6073400 x13: 00000000ffffffff x12: ffff0000c6073400 x11: ff808000081bbb4c x10: 0000000000000000 x9 : 7b0572d7cc0ccf00 x8 : 7b0572d7cc0ccf00 x7 : ffff80000bf650d4 x6 : 0000000000000000 x5 : 0000000000000001 x4 : 0000000000000001 x3 : 0000000000000000 x2 : ffff0001fefbff08 x1 : 0000000100000000 x0 : 000000000000006c Call trace: usercopy_abort+0x90/0x94 mm/usercopy.c:90 __check_heap_object+0xa8/0x100 mm/slub.c:4761 check_heap_object mm/usercopy.c:196 [inline] __check_object_size+0x208/0x6b8 mm/usercopy.c:251 check_object_size include/linux/thread_info.h:199 [inline] __copy_to_user include/linux/uaccess.h:115 [inline] put_cmsg+0x408/0x464 net/core/scm.c:238 sock_recv_mark net/socket.c:975 [inline] __sock_recv_cmsgs+0x1fc/0x248 net/socket.c:984 sock_recv_cmsgs include/net/sock.h:2728 [inline] packet_recvmsg+0x2d8/0x678 net/packet/af_packet.c:3482 ____sys_recvmsg+0x110/0x3a0 ___sys_recvmsg net/socket.c:2737 [inline] __sys_recvmsg+0x194/0x210 net/socket.c:2767 __do_sys_recvmsg net/socket.c:2777 [inline] __se_sys_recvmsg net/socket.c:2774 [inline] __arm64_sys_recvmsg+0x2c/0x3c net/socket.c:2774 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x64/0x178 arch/arm64/kernel/syscall.c:52 el0_svc_common+0xbc/0x180 arch/arm64/kernel/syscall.c:142 do_el0_svc+0x48/0x110 arch/arm64/kernel/syscall.c:193 el0_svc+0x58/0x14c arch/arm64/kernel/entry-common.c:637 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591 Code: 91388800 aa0903e1 f90003e8 94e6d752 (d4210000)
AI Analysis
Technical Summary
CVE-2023-52701 is a vulnerability identified in the Linux kernel affecting the handling of socket buffer (skb) marks during user-space copying operations. The issue arises specifically when the kernel is configured with CONFIG_HARDENED_USERCOPY enabled, a security feature designed to prevent kernel memory exposure by enforcing strict checks on memory copying between kernel and user space. The vulnerability was discovered through syzbot, an automated kernel fuzzer, which found that arm64 Linux kernel builds would crash in the function sock_recv_mark() due to improper handling of skb->mark data. The root cause is that only the skb->cb[] field is safe to copy directly to or from user space, as per kernel commit 79a8a642bf05, but the vulnerable code attempted to copy skb->mark without using a bounce buffer, leading to a kernel BUG triggered by a usercopy memory exposure detection. Architectures like x86 and powerpc do not currently detect this issue because they define user_access_begin, which handles the problem differently, but arm64 lacks this safeguard. The vulnerability can cause kernel crashes (denial of service) and potentially expose kernel memory contents to user space, which could lead to information disclosure or privilege escalation if exploited. The patch involves using a bounce buffer to safely copy skb->mark data, preventing direct copying that violates hardened usercopy constraints. The vulnerability affects Linux kernel versions prior to the patch and is particularly relevant for systems running arm64 architecture with hardened usercopy enabled. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, the impact of CVE-2023-52701 can be significant, especially for those relying on arm64-based Linux servers or embedded devices with hardened usercopy enabled. The vulnerability can cause kernel panics leading to denial of service, disrupting critical services and operations. Additionally, the potential for kernel memory exposure could allow attackers to leak sensitive information or escalate privileges, compromising confidentiality and integrity of systems. This is particularly concerning for sectors such as finance, healthcare, telecommunications, and government infrastructure, where Linux servers are widely deployed. The arm64 architecture is increasingly common in cloud environments and edge computing devices, which are prevalent in Europe’s digital infrastructure. Organizations using Linux kernels without the patch risk operational instability and security breaches. Although no active exploits are known, the vulnerability’s presence in the kernel codebase means attackers with local access could attempt to trigger the flaw, emphasizing the need for timely mitigation.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to the latest patched versions that include the fix for CVE-2023-52701. Specifically, ensure that all arm64 systems with CONFIG_HARDENED_USERCOPY enabled are upgraded. For environments where immediate patching is challenging, consider disabling CONFIG_HARDENED_USERCOPY temporarily only if the risk of kernel memory exposure is outweighed by operational needs, but this is not recommended as a long-term solution. Implement strict access controls to limit local user access to trusted personnel and processes, reducing the risk of exploitation. Employ kernel crash monitoring and alerting to detect and respond to any kernel panics that may indicate attempted exploitation. Additionally, review and harden user-space applications interacting with socket buffers to minimize exposure. For cloud and containerized environments, ensure base images are updated and redeployed promptly. Regularly audit kernel configurations and maintain an inventory of affected systems to ensure comprehensive coverage of mitigation efforts.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Ireland, Poland, Italy, Spain
CVE-2023-52701: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: use a bounce buffer for copying skb->mark syzbot found arm64 builds would crash in sock_recv_mark() when CONFIG_HARDENED_USERCOPY=y x86 and powerpc are not detecting the issue because they define user_access_begin. This will be handled in a different patch, because a check_object_size() is missing. Only data from skb->cb[] can be copied directly to/from user space, as explained in commit 79a8a642bf05 ("net: Whitelist the skbuff_head_cache "cb" field") syzbot report was: usercopy: Kernel memory exposure attempt detected from SLUB object 'skbuff_head_cache' (offset 168, size 4)! ------------[ cut here ]------------ kernel BUG at mm/usercopy.c:102 ! Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 4410 Comm: syz-executor533 Not tainted 6.2.0-rc7-syzkaller-17907-g2d3827b3f393 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : usercopy_abort+0x90/0x94 mm/usercopy.c:90 lr : usercopy_abort+0x90/0x94 mm/usercopy.c:90 sp : ffff80000fb9b9a0 x29: ffff80000fb9b9b0 x28: ffff0000c6073400 x27: 0000000020001a00 x26: 0000000000000014 x25: ffff80000cf52000 x24: fffffc0000000000 x23: 05ffc00000000200 x22: fffffc000324bf80 x21: ffff0000c92fe1a8 x20: 0000000000000001 x19: 0000000000000004 x18: 0000000000000000 x17: 656a626f2042554c x16: ffff0000c6073dd0 x15: ffff80000dbd2118 x14: ffff0000c6073400 x13: 00000000ffffffff x12: ffff0000c6073400 x11: ff808000081bbb4c x10: 0000000000000000 x9 : 7b0572d7cc0ccf00 x8 : 7b0572d7cc0ccf00 x7 : ffff80000bf650d4 x6 : 0000000000000000 x5 : 0000000000000001 x4 : 0000000000000001 x3 : 0000000000000000 x2 : ffff0001fefbff08 x1 : 0000000100000000 x0 : 000000000000006c Call trace: usercopy_abort+0x90/0x94 mm/usercopy.c:90 __check_heap_object+0xa8/0x100 mm/slub.c:4761 check_heap_object mm/usercopy.c:196 [inline] __check_object_size+0x208/0x6b8 mm/usercopy.c:251 check_object_size include/linux/thread_info.h:199 [inline] __copy_to_user include/linux/uaccess.h:115 [inline] put_cmsg+0x408/0x464 net/core/scm.c:238 sock_recv_mark net/socket.c:975 [inline] __sock_recv_cmsgs+0x1fc/0x248 net/socket.c:984 sock_recv_cmsgs include/net/sock.h:2728 [inline] packet_recvmsg+0x2d8/0x678 net/packet/af_packet.c:3482 ____sys_recvmsg+0x110/0x3a0 ___sys_recvmsg net/socket.c:2737 [inline] __sys_recvmsg+0x194/0x210 net/socket.c:2767 __do_sys_recvmsg net/socket.c:2777 [inline] __se_sys_recvmsg net/socket.c:2774 [inline] __arm64_sys_recvmsg+0x2c/0x3c net/socket.c:2774 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x64/0x178 arch/arm64/kernel/syscall.c:52 el0_svc_common+0xbc/0x180 arch/arm64/kernel/syscall.c:142 do_el0_svc+0x48/0x110 arch/arm64/kernel/syscall.c:193 el0_svc+0x58/0x14c arch/arm64/kernel/entry-common.c:637 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591 Code: 91388800 aa0903e1 f90003e8 94e6d752 (d4210000)
AI-Powered Analysis
Technical Analysis
CVE-2023-52701 is a vulnerability identified in the Linux kernel affecting the handling of socket buffer (skb) marks during user-space copying operations. The issue arises specifically when the kernel is configured with CONFIG_HARDENED_USERCOPY enabled, a security feature designed to prevent kernel memory exposure by enforcing strict checks on memory copying between kernel and user space. The vulnerability was discovered through syzbot, an automated kernel fuzzer, which found that arm64 Linux kernel builds would crash in the function sock_recv_mark() due to improper handling of skb->mark data. The root cause is that only the skb->cb[] field is safe to copy directly to or from user space, as per kernel commit 79a8a642bf05, but the vulnerable code attempted to copy skb->mark without using a bounce buffer, leading to a kernel BUG triggered by a usercopy memory exposure detection. Architectures like x86 and powerpc do not currently detect this issue because they define user_access_begin, which handles the problem differently, but arm64 lacks this safeguard. The vulnerability can cause kernel crashes (denial of service) and potentially expose kernel memory contents to user space, which could lead to information disclosure or privilege escalation if exploited. The patch involves using a bounce buffer to safely copy skb->mark data, preventing direct copying that violates hardened usercopy constraints. The vulnerability affects Linux kernel versions prior to the patch and is particularly relevant for systems running arm64 architecture with hardened usercopy enabled. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, the impact of CVE-2023-52701 can be significant, especially for those relying on arm64-based Linux servers or embedded devices with hardened usercopy enabled. The vulnerability can cause kernel panics leading to denial of service, disrupting critical services and operations. Additionally, the potential for kernel memory exposure could allow attackers to leak sensitive information or escalate privileges, compromising confidentiality and integrity of systems. This is particularly concerning for sectors such as finance, healthcare, telecommunications, and government infrastructure, where Linux servers are widely deployed. The arm64 architecture is increasingly common in cloud environments and edge computing devices, which are prevalent in Europe’s digital infrastructure. Organizations using Linux kernels without the patch risk operational instability and security breaches. Although no active exploits are known, the vulnerability’s presence in the kernel codebase means attackers with local access could attempt to trigger the flaw, emphasizing the need for timely mitigation.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to the latest patched versions that include the fix for CVE-2023-52701. Specifically, ensure that all arm64 systems with CONFIG_HARDENED_USERCOPY enabled are upgraded. For environments where immediate patching is challenging, consider disabling CONFIG_HARDENED_USERCOPY temporarily only if the risk of kernel memory exposure is outweighed by operational needs, but this is not recommended as a long-term solution. Implement strict access controls to limit local user access to trusted personnel and processes, reducing the risk of exploitation. Employ kernel crash monitoring and alerting to detect and respond to any kernel panics that may indicate attempted exploitation. Additionally, review and harden user-space applications interacting with socket buffers to minimize exposure. For cloud and containerized environments, ensure base images are updated and redeployed promptly. Regularly audit kernel configurations and maintain an inventory of affected systems to ensure comprehensive coverage of mitigation efforts.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-03-07T14:49:46.891Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9830c4522896dcbe7398
Added to database: 5/21/2025, 9:09:04 AM
Last enriched: 7/1/2025, 6:09:45 AM
Last updated: 7/8/2025, 5:23:14 AM
Views: 5
Related Threats
CVE-2025-7216: Deserialization in lty628 Aidigu
MediumCVE-2025-7215: Cleartext Storage of Sensitive Information in FNKvision FNK-GU2
LowCVE-2025-7214: Risky Cryptographic Algorithm in FNKvision FNK-GU2
LowCVE-2025-7059: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in jdegayojr Simple Featured Image
MediumCVE-2025-4606: CWE-620 Unverified Password Change in uxper Sala - Startup & SaaS WordPress Theme
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.