CVE-2023-52784: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: bonding: stop the device in bond_setup_by_slave() Commit 9eed321cde22 ("net: lapbether: only support ethernet devices") has been able to keep syzbot away from net/lapb, until today. In the following splat [1], the issue is that a lapbether device has been created on a bonding device without members. Then adding a non ARPHRD_ETHER member forced the bonding master to change its type. The fix is to make sure we call dev_close() in bond_setup_by_slave() so that the potential linked lapbether devices (or any other devices having assumptions on the physical device) are removed. A similar bug has been addressed in commit 40baec225765 ("bonding: fix panic on non-ARPHRD_ETHER enslave failure") [1] skbuff: skb_under_panic: text:ffff800089508810 len:44 put:40 head:ffff0000c78e7c00 data:ffff0000c78e7bea tail:0x16 end:0x140 dev:bond0 kernel BUG at net/core/skbuff.c:192 ! Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 6007 Comm: syz-executor383 Not tainted 6.6.0-rc3-syzkaller-gbf6547d8715b #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : skb_panic net/core/skbuff.c:188 [inline] pc : skb_under_panic+0x13c/0x140 net/core/skbuff.c:202 lr : skb_panic net/core/skbuff.c:188 [inline] lr : skb_under_panic+0x13c/0x140 net/core/skbuff.c:202 sp : ffff800096a06aa0 x29: ffff800096a06ab0 x28: ffff800096a06ba0 x27: dfff800000000000 x26: ffff0000ce9b9b50 x25: 0000000000000016 x24: ffff0000c78e7bea x23: ffff0000c78e7c00 x22: 000000000000002c x21: 0000000000000140 x20: 0000000000000028 x19: ffff800089508810 x18: ffff800096a06100 x17: 0000000000000000 x16: ffff80008a629a3c x15: 0000000000000001 x14: 1fffe00036837a32 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000201 x10: 0000000000000000 x9 : cb50b496c519aa00 x8 : cb50b496c519aa00 x7 : 0000000000000001 x6 : 0000000000000001 x5 : ffff800096a063b8 x4 : ffff80008e280f80 x3 : ffff8000805ad11c x2 : 0000000000000001 x1 : 0000000100000201 x0 : 0000000000000086 Call trace: skb_panic net/core/skbuff.c:188 [inline] skb_under_panic+0x13c/0x140 net/core/skbuff.c:202 skb_push+0xf0/0x108 net/core/skbuff.c:2446 ip6gre_header+0xbc/0x738 net/ipv6/ip6_gre.c:1384 dev_hard_header include/linux/netdevice.h:3136 [inline] lapbeth_data_transmit+0x1c4/0x298 drivers/net/wan/lapbether.c:257 lapb_data_transmit+0x8c/0xb0 net/lapb/lapb_iface.c:447 lapb_transmit_buffer+0x178/0x204 net/lapb/lapb_out.c:149 lapb_send_control+0x220/0x320 net/lapb/lapb_subr.c:251 __lapb_disconnect_request+0x9c/0x17c net/lapb/lapb_iface.c:326 lapb_device_event+0x288/0x4e0 net/lapb/lapb_iface.c:492 notifier_call_chain+0x1a4/0x510 kernel/notifier.c:93 raw_notifier_call_chain+0x3c/0x50 kernel/notifier.c:461 call_netdevice_notifiers_info net/core/dev.c:1970 [inline] call_netdevice_notifiers_extack net/core/dev.c:2008 [inline] call_netdevice_notifiers net/core/dev.c:2022 [inline] __dev_close_many+0x1b8/0x3c4 net/core/dev.c:1508 dev_close_many+0x1e0/0x470 net/core/dev.c:1559 dev_close+0x174/0x250 net/core/dev.c:1585 lapbeth_device_event+0x2e4/0x958 drivers/net/wan/lapbether.c:466 notifier_call_chain+0x1a4/0x510 kernel/notifier.c:93 raw_notifier_call_chain+0x3c/0x50 kernel/notifier.c:461 call_netdevice_notifiers_info net/core/dev.c:1970 [inline] call_netdevice_notifiers_extack net/core/dev.c:2008 [inline] call_netdevice_notifiers net/core/dev.c:2022 [inline] __dev_close_many+0x1b8/0x3c4 net/core/dev.c:1508 dev_close_many+0x1e0/0x470 net/core/dev.c:1559 dev_close+0x174/0x250 net/core/dev.c:1585 bond_enslave+0x2298/0x30cc drivers/net/bonding/bond_main.c:2332 bond_do_ioctl+0x268/0xc64 drivers/net/bonding/bond_main.c:4539 dev_ifsioc+0x754/0x9ac dev_ioctl+0x4d8/0xd34 net/core/dev_ioctl.c:786 sock_do_ioctl+0x1d4/0x2d0 net/socket.c:1217 sock_ioctl+0x4e8/0x834 net/socket.c:1322 vfs_ioctl fs/ioctl.c:51 [inline] __do_ ---truncated---
AI Analysis
Technical Summary
CVE-2023-52784 is a vulnerability identified in the Linux kernel's bonding driver, specifically related to the handling of network devices in the bond_setup_by_slave() function. The issue arises when a lapbether device (a type of network device used in LAPB protocol over Ethernet) is created on a bonding device that has no member interfaces. Subsequently, adding a non-ARPHRD_ETHER (non-Ethernet) member forces the bonding master device to change its type improperly. This leads to inconsistencies and potential kernel panics due to assumptions made about the physical device type. The root cause is the failure to properly close and clean up devices linked to the bonding master when such changes occur. The fix involves ensuring that dev_close() is called in bond_setup_by_slave(), which removes any linked lapbether devices or other devices that rely on assumptions about the physical device. This vulnerability can cause kernel crashes (panics) and internal errors, as demonstrated by the provided kernel oops logs, which show stack traces involving skb_panic and lapbeth device events. The vulnerability is related to a previously addressed bug (commit 40baec225765) that fixed panic on non-ARPHRD_ETHER enslave failures. The vulnerability affects Linux kernel versions around 6.6.0-rc3 and likely other versions using the bonding driver with similar code paths. No known exploits are reported in the wild yet, and no CVSS score has been assigned. The vulnerability is technical and requires specific conditions involving bonding devices and non-Ethernet members to trigger, but it can lead to denial of service via kernel panic and potential disruption of network functionality on affected systems.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the affected bonding driver code, especially those utilizing network bonding for redundancy or performance. The impact includes potential denial of service due to kernel panics, which can disrupt critical network services, servers, and infrastructure relying on bonded interfaces. This is particularly concerning for data centers, cloud providers, telecom operators, and enterprises with high availability requirements. The disruption could affect internal networks, cloud-hosted services, and virtualized environments that rely on Linux-based hosts. While the vulnerability does not directly lead to privilege escalation or data leakage, the resulting system instability and downtime could impact business continuity and service availability. Given the widespread use of Linux in European IT infrastructure, including government, finance, and industrial sectors, the risk of operational disruption is significant if the vulnerability is exploited or triggered accidentally. However, exploitation requires specific network configurations, which may limit the scope somewhat. No known active exploitation reduces immediate risk but patching is critical to prevent future incidents.
Mitigation Recommendations
European organizations should take the following specific mitigation steps: 1) Identify Linux systems using network bonding, particularly those with complex bonding configurations involving non-Ethernet interfaces or lapbether devices. 2) Apply the latest Linux kernel patches that include the fix for CVE-2023-52784 as soon as they become available from trusted Linux distributions or kernel maintainers. 3) In environments where immediate patching is not possible, consider temporarily disabling bonding interfaces or avoiding configurations that mix Ethernet and non-Ethernet members until patched. 4) Monitor kernel logs for signs of bonding-related errors or kernel panics that may indicate attempts to trigger this vulnerability. 5) For cloud and virtualized environments, coordinate with cloud providers to ensure underlying host kernels are patched. 6) Conduct configuration audits to ensure bonding devices are correctly set up without unsupported member types. 7) Implement robust backup and recovery procedures to minimize downtime impact in case of kernel crashes. These steps go beyond generic advice by focusing on the specific bonding driver and network interface configurations involved in this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2023-52784: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: bonding: stop the device in bond_setup_by_slave() Commit 9eed321cde22 ("net: lapbether: only support ethernet devices") has been able to keep syzbot away from net/lapb, until today. In the following splat [1], the issue is that a lapbether device has been created on a bonding device without members. Then adding a non ARPHRD_ETHER member forced the bonding master to change its type. The fix is to make sure we call dev_close() in bond_setup_by_slave() so that the potential linked lapbether devices (or any other devices having assumptions on the physical device) are removed. A similar bug has been addressed in commit 40baec225765 ("bonding: fix panic on non-ARPHRD_ETHER enslave failure") [1] skbuff: skb_under_panic: text:ffff800089508810 len:44 put:40 head:ffff0000c78e7c00 data:ffff0000c78e7bea tail:0x16 end:0x140 dev:bond0 kernel BUG at net/core/skbuff.c:192 ! Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 6007 Comm: syz-executor383 Not tainted 6.6.0-rc3-syzkaller-gbf6547d8715b #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : skb_panic net/core/skbuff.c:188 [inline] pc : skb_under_panic+0x13c/0x140 net/core/skbuff.c:202 lr : skb_panic net/core/skbuff.c:188 [inline] lr : skb_under_panic+0x13c/0x140 net/core/skbuff.c:202 sp : ffff800096a06aa0 x29: ffff800096a06ab0 x28: ffff800096a06ba0 x27: dfff800000000000 x26: ffff0000ce9b9b50 x25: 0000000000000016 x24: ffff0000c78e7bea x23: ffff0000c78e7c00 x22: 000000000000002c x21: 0000000000000140 x20: 0000000000000028 x19: ffff800089508810 x18: ffff800096a06100 x17: 0000000000000000 x16: ffff80008a629a3c x15: 0000000000000001 x14: 1fffe00036837a32 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000201 x10: 0000000000000000 x9 : cb50b496c519aa00 x8 : cb50b496c519aa00 x7 : 0000000000000001 x6 : 0000000000000001 x5 : ffff800096a063b8 x4 : ffff80008e280f80 x3 : ffff8000805ad11c x2 : 0000000000000001 x1 : 0000000100000201 x0 : 0000000000000086 Call trace: skb_panic net/core/skbuff.c:188 [inline] skb_under_panic+0x13c/0x140 net/core/skbuff.c:202 skb_push+0xf0/0x108 net/core/skbuff.c:2446 ip6gre_header+0xbc/0x738 net/ipv6/ip6_gre.c:1384 dev_hard_header include/linux/netdevice.h:3136 [inline] lapbeth_data_transmit+0x1c4/0x298 drivers/net/wan/lapbether.c:257 lapb_data_transmit+0x8c/0xb0 net/lapb/lapb_iface.c:447 lapb_transmit_buffer+0x178/0x204 net/lapb/lapb_out.c:149 lapb_send_control+0x220/0x320 net/lapb/lapb_subr.c:251 __lapb_disconnect_request+0x9c/0x17c net/lapb/lapb_iface.c:326 lapb_device_event+0x288/0x4e0 net/lapb/lapb_iface.c:492 notifier_call_chain+0x1a4/0x510 kernel/notifier.c:93 raw_notifier_call_chain+0x3c/0x50 kernel/notifier.c:461 call_netdevice_notifiers_info net/core/dev.c:1970 [inline] call_netdevice_notifiers_extack net/core/dev.c:2008 [inline] call_netdevice_notifiers net/core/dev.c:2022 [inline] __dev_close_many+0x1b8/0x3c4 net/core/dev.c:1508 dev_close_many+0x1e0/0x470 net/core/dev.c:1559 dev_close+0x174/0x250 net/core/dev.c:1585 lapbeth_device_event+0x2e4/0x958 drivers/net/wan/lapbether.c:466 notifier_call_chain+0x1a4/0x510 kernel/notifier.c:93 raw_notifier_call_chain+0x3c/0x50 kernel/notifier.c:461 call_netdevice_notifiers_info net/core/dev.c:1970 [inline] call_netdevice_notifiers_extack net/core/dev.c:2008 [inline] call_netdevice_notifiers net/core/dev.c:2022 [inline] __dev_close_many+0x1b8/0x3c4 net/core/dev.c:1508 dev_close_many+0x1e0/0x470 net/core/dev.c:1559 dev_close+0x174/0x250 net/core/dev.c:1585 bond_enslave+0x2298/0x30cc drivers/net/bonding/bond_main.c:2332 bond_do_ioctl+0x268/0xc64 drivers/net/bonding/bond_main.c:4539 dev_ifsioc+0x754/0x9ac dev_ioctl+0x4d8/0xd34 net/core/dev_ioctl.c:786 sock_do_ioctl+0x1d4/0x2d0 net/socket.c:1217 sock_ioctl+0x4e8/0x834 net/socket.c:1322 vfs_ioctl fs/ioctl.c:51 [inline] __do_ ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2023-52784 is a vulnerability identified in the Linux kernel's bonding driver, specifically related to the handling of network devices in the bond_setup_by_slave() function. The issue arises when a lapbether device (a type of network device used in LAPB protocol over Ethernet) is created on a bonding device that has no member interfaces. Subsequently, adding a non-ARPHRD_ETHER (non-Ethernet) member forces the bonding master device to change its type improperly. This leads to inconsistencies and potential kernel panics due to assumptions made about the physical device type. The root cause is the failure to properly close and clean up devices linked to the bonding master when such changes occur. The fix involves ensuring that dev_close() is called in bond_setup_by_slave(), which removes any linked lapbether devices or other devices that rely on assumptions about the physical device. This vulnerability can cause kernel crashes (panics) and internal errors, as demonstrated by the provided kernel oops logs, which show stack traces involving skb_panic and lapbeth device events. The vulnerability is related to a previously addressed bug (commit 40baec225765) that fixed panic on non-ARPHRD_ETHER enslave failures. The vulnerability affects Linux kernel versions around 6.6.0-rc3 and likely other versions using the bonding driver with similar code paths. No known exploits are reported in the wild yet, and no CVSS score has been assigned. The vulnerability is technical and requires specific conditions involving bonding devices and non-Ethernet members to trigger, but it can lead to denial of service via kernel panic and potential disruption of network functionality on affected systems.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the affected bonding driver code, especially those utilizing network bonding for redundancy or performance. The impact includes potential denial of service due to kernel panics, which can disrupt critical network services, servers, and infrastructure relying on bonded interfaces. This is particularly concerning for data centers, cloud providers, telecom operators, and enterprises with high availability requirements. The disruption could affect internal networks, cloud-hosted services, and virtualized environments that rely on Linux-based hosts. While the vulnerability does not directly lead to privilege escalation or data leakage, the resulting system instability and downtime could impact business continuity and service availability. Given the widespread use of Linux in European IT infrastructure, including government, finance, and industrial sectors, the risk of operational disruption is significant if the vulnerability is exploited or triggered accidentally. However, exploitation requires specific network configurations, which may limit the scope somewhat. No known active exploitation reduces immediate risk but patching is critical to prevent future incidents.
Mitigation Recommendations
European organizations should take the following specific mitigation steps: 1) Identify Linux systems using network bonding, particularly those with complex bonding configurations involving non-Ethernet interfaces or lapbether devices. 2) Apply the latest Linux kernel patches that include the fix for CVE-2023-52784 as soon as they become available from trusted Linux distributions or kernel maintainers. 3) In environments where immediate patching is not possible, consider temporarily disabling bonding interfaces or avoiding configurations that mix Ethernet and non-Ethernet members until patched. 4) Monitor kernel logs for signs of bonding-related errors or kernel panics that may indicate attempts to trigger this vulnerability. 5) For cloud and virtualized environments, coordinate with cloud providers to ensure underlying host kernels are patched. 6) Conduct configuration audits to ensure bonding devices are correctly set up without unsupported member types. 7) Implement robust backup and recovery procedures to minimize downtime impact in case of kernel crashes. These steps go beyond generic advice by focusing on the specific bonding driver and network interface configurations involved in this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-21T15:19:24.240Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9830c4522896dcbe7554
Added to database: 5/21/2025, 9:09:04 AM
Last enriched: 7/1/2025, 6:57:33 AM
Last updated: 8/1/2025, 7:48:57 AM
Views: 10
Related Threats
CVE-2025-41242: Vulnerability in VMware Spring Framework
MediumCVE-2025-47206: CWE-787 in QNAP Systems Inc. File Station 5
HighCVE-2025-5296: CWE-59 Improper Link Resolution Before File Access ('Link Following') in Schneider Electric SESU
HighCVE-2025-6625: CWE-20 Improper Input Validation in Schneider Electric Modicon M340
HighCVE-2025-57703: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.