CVE-2023-52796: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ipvlan: add ipvlan_route_v6_outbound() helper Inspired by syzbot reports using a stack of multiple ipvlan devices. Reduce stack size needed in ipvlan_process_v6_outbound() by moving the flowi6 struct used for the route lookup in an non inlined helper. ipvlan_route_v6_outbound() needs 120 bytes on the stack, immediately reclaimed. Also make sure ipvlan_process_v4_outbound() is not inlined. We might also have to lower MAX_NEST_DEV, because only syzbot uses setups with more than four stacked devices. BUG: TASK stack guard page was hit at ffffc9000e803ff8 (stack is ffffc9000e804000..ffffc9000e808000) stack guard page: 0000 [#1] SMP KASAN CPU: 0 PID: 13442 Comm: syz-executor.4 Not tainted 6.1.52-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 RIP: 0010:kasan_check_range+0x4/0x2a0 mm/kasan/generic.c:188 Code: 48 01 c6 48 89 c7 e8 db 4e c1 03 31 c0 5d c3 cc 0f 0b eb 02 0f 0b b8 ea ff ff ff 5d c3 cc 00 00 cc cc 00 00 cc cc 55 48 89 e5 <41> 57 41 56 41 55 41 54 53 b0 01 48 85 f6 0f 84 a4 01 00 00 48 89 RSP: 0018:ffffc9000e804000 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817e5bf2 RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffffff887c6568 RBP: ffffc9000e804000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff92001d0080c R13: dffffc0000000000 R14: ffffffff87e6b100 R15: 0000000000000000 FS: 00007fd0c55826c0(0000) GS:ffff8881f6800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc9000e803ff8 CR3: 0000000170ef7000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <#DF> </#DF> <TASK> [<ffffffff81f281d1>] __kasan_check_read+0x11/0x20 mm/kasan/shadow.c:31 [<ffffffff817e5bf2>] instrument_atomic_read include/linux/instrumented.h:72 [inline] [<ffffffff817e5bf2>] _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] [<ffffffff817e5bf2>] cpumask_test_cpu include/linux/cpumask.h:506 [inline] [<ffffffff817e5bf2>] cpu_online include/linux/cpumask.h:1092 [inline] [<ffffffff817e5bf2>] trace_lock_acquire include/trace/events/lock.h:24 [inline] [<ffffffff817e5bf2>] lock_acquire+0xe2/0x590 kernel/locking/lockdep.c:5632 [<ffffffff8563221e>] rcu_lock_acquire+0x2e/0x40 include/linux/rcupdate.h:306 [<ffffffff8561464d>] rcu_read_lock include/linux/rcupdate.h:747 [inline] [<ffffffff8561464d>] ip6_pol_route+0x15d/0x1440 net/ipv6/route.c:2221 [<ffffffff85618120>] ip6_pol_route_output+0x50/0x80 net/ipv6/route.c:2606 [<ffffffff856f65b5>] pol_lookup_func include/net/ip6_fib.h:584 [inline] [<ffffffff856f65b5>] fib6_rule_lookup+0x265/0x620 net/ipv6/fib6_rules.c:116 [<ffffffff85618009>] ip6_route_output_flags_noref+0x2d9/0x3a0 net/ipv6/route.c:2638 [<ffffffff8561821a>] ip6_route_output_flags+0xca/0x340 net/ipv6/route.c:2651 [<ffffffff838bd5a3>] ip6_route_output include/net/ip6_route.h:100 [inline] [<ffffffff838bd5a3>] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:473 [inline] [<ffffffff838bd5a3>] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline] [<ffffffff838bd5a3>] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline] [<ffffffff838bd5a3>] ipvlan_queue_xmit+0xc33/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677 [<ffffffff838c2909>] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229 [<ffffffff84d03900>] netdev_start_xmit include/linux/netdevice.h:4966 [inline] [<ffffffff84d03900>] xmit_one net/core/dev.c:3644 [inline] [<ffffffff84d03900>] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660 [<ffffffff84d080e2>] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324 [<ffffffff855ce4cd>] dev_queue_xmit include/linux/netdevice.h:3067 [inline] [<ffffffff855ce4cd>] neigh_hh_output include/net/neighbour.h:529 [inline] [<f ---truncated---
AI Analysis
Technical Summary
CVE-2023-52796 is a vulnerability identified in the Linux kernel's ipvlan network driver, specifically related to the handling of outbound IPv6 routing in stacked ipvlan devices. The issue arises from excessive stack usage in the ipvlan_process_v6_outbound() function, which was triggered by syzbot fuzzing reports involving multiple stacked ipvlan devices. The vulnerability manifests as a stack overflow condition where the kernel's stack guard page is hit, indicating a potential stack buffer overflow or stack exhaustion. The root cause is the large stack allocation for the flowi6 struct used during route lookups, which was mitigated by refactoring the code to move this allocation into a non-inlined helper function (ipvlan_route_v6_outbound()), thereby reducing stack usage. Additionally, the ipvlan_process_v4_outbound() function was modified to prevent inlining, and there is consideration to lower the maximum number of nested ipvlan devices (MAX_NEST_DEV) since setups with more than four stacked devices are rare and primarily used by fuzzing tools. The vulnerability is triggered under specific conditions involving multiple stacked ipvlan devices and outbound IPv6 traffic processing. The kernel crash logs indicate a kernel address sanitizer (KASAN) detection of a stack guard page violation, which would lead to a denial of service (kernel panic or crash). There is no evidence of known exploits in the wild, and no CVSS score has been assigned yet. The vulnerability affects Linux kernel versions around 6.1.52-syzkaller and potentially other versions using the affected ipvlan code paths. This vulnerability is primarily a stability and availability risk due to kernel crashes caused by stack overflow in network packet processing.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with ipvlan network drivers configured with multiple stacked ipvlan devices, especially in environments utilizing IPv6 extensively. Such configurations are more common in advanced network virtualization, container orchestration platforms, and cloud infrastructure deployments. The impact includes potential denial of service due to kernel crashes, which can disrupt critical network services, cloud workloads, and containerized applications. Organizations relying on Linux-based network virtualization or container networking that use ipvlan may experience service outages or degraded performance. Although there is no indication of privilege escalation or remote code execution, the availability impact can be significant in production environments. Given the increasing adoption of IPv6 in Europe and the widespread use of Linux in enterprise and cloud infrastructure, the vulnerability could affect data centers, telecom providers, and enterprises with complex network setups. However, the requirement for multiple stacked ipvlan devices and the specific triggering conditions limit the scope of impact to specialized deployments rather than general Linux users.
Mitigation Recommendations
1. Apply the latest Linux kernel patches that address this vulnerability as soon as they become available from trusted sources or Linux distributions. Monitor vendor advisories for updated kernel packages. 2. Review and limit the use of stacked ipvlan devices in network configurations, especially avoiding setups with more than four nested ipvlan devices unless absolutely necessary. 3. If possible, temporarily disable or avoid using ipvlan stacking features in IPv6 environments until patches are applied. 4. Implement kernel hardening and runtime protections such as Kernel Address Sanitizer (KASAN) and stack guard pages to detect and mitigate stack overflows during development and testing phases. 5. Conduct thorough testing of network virtualization configurations involving ipvlan devices under IPv6 traffic to identify potential instability. 6. Maintain robust monitoring and alerting for kernel panics or crashes related to network drivers to enable rapid incident response. 7. For container orchestration platforms, consider alternative network drivers or plugins that do not rely on ipvlan stacking if feasible. 8. Engage with Linux distribution security teams to ensure timely updates and backports for affected kernel versions.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark, Ireland, Belgium
CVE-2023-52796: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ipvlan: add ipvlan_route_v6_outbound() helper Inspired by syzbot reports using a stack of multiple ipvlan devices. Reduce stack size needed in ipvlan_process_v6_outbound() by moving the flowi6 struct used for the route lookup in an non inlined helper. ipvlan_route_v6_outbound() needs 120 bytes on the stack, immediately reclaimed. Also make sure ipvlan_process_v4_outbound() is not inlined. We might also have to lower MAX_NEST_DEV, because only syzbot uses setups with more than four stacked devices. BUG: TASK stack guard page was hit at ffffc9000e803ff8 (stack is ffffc9000e804000..ffffc9000e808000) stack guard page: 0000 [#1] SMP KASAN CPU: 0 PID: 13442 Comm: syz-executor.4 Not tainted 6.1.52-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 RIP: 0010:kasan_check_range+0x4/0x2a0 mm/kasan/generic.c:188 Code: 48 01 c6 48 89 c7 e8 db 4e c1 03 31 c0 5d c3 cc 0f 0b eb 02 0f 0b b8 ea ff ff ff 5d c3 cc 00 00 cc cc 00 00 cc cc 55 48 89 e5 <41> 57 41 56 41 55 41 54 53 b0 01 48 85 f6 0f 84 a4 01 00 00 48 89 RSP: 0018:ffffc9000e804000 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817e5bf2 RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffffff887c6568 RBP: ffffc9000e804000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff92001d0080c R13: dffffc0000000000 R14: ffffffff87e6b100 R15: 0000000000000000 FS: 00007fd0c55826c0(0000) GS:ffff8881f6800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc9000e803ff8 CR3: 0000000170ef7000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <#DF> </#DF> <TASK> [<ffffffff81f281d1>] __kasan_check_read+0x11/0x20 mm/kasan/shadow.c:31 [<ffffffff817e5bf2>] instrument_atomic_read include/linux/instrumented.h:72 [inline] [<ffffffff817e5bf2>] _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] [<ffffffff817e5bf2>] cpumask_test_cpu include/linux/cpumask.h:506 [inline] [<ffffffff817e5bf2>] cpu_online include/linux/cpumask.h:1092 [inline] [<ffffffff817e5bf2>] trace_lock_acquire include/trace/events/lock.h:24 [inline] [<ffffffff817e5bf2>] lock_acquire+0xe2/0x590 kernel/locking/lockdep.c:5632 [<ffffffff8563221e>] rcu_lock_acquire+0x2e/0x40 include/linux/rcupdate.h:306 [<ffffffff8561464d>] rcu_read_lock include/linux/rcupdate.h:747 [inline] [<ffffffff8561464d>] ip6_pol_route+0x15d/0x1440 net/ipv6/route.c:2221 [<ffffffff85618120>] ip6_pol_route_output+0x50/0x80 net/ipv6/route.c:2606 [<ffffffff856f65b5>] pol_lookup_func include/net/ip6_fib.h:584 [inline] [<ffffffff856f65b5>] fib6_rule_lookup+0x265/0x620 net/ipv6/fib6_rules.c:116 [<ffffffff85618009>] ip6_route_output_flags_noref+0x2d9/0x3a0 net/ipv6/route.c:2638 [<ffffffff8561821a>] ip6_route_output_flags+0xca/0x340 net/ipv6/route.c:2651 [<ffffffff838bd5a3>] ip6_route_output include/net/ip6_route.h:100 [inline] [<ffffffff838bd5a3>] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:473 [inline] [<ffffffff838bd5a3>] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline] [<ffffffff838bd5a3>] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline] [<ffffffff838bd5a3>] ipvlan_queue_xmit+0xc33/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677 [<ffffffff838c2909>] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229 [<ffffffff84d03900>] netdev_start_xmit include/linux/netdevice.h:4966 [inline] [<ffffffff84d03900>] xmit_one net/core/dev.c:3644 [inline] [<ffffffff84d03900>] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660 [<ffffffff84d080e2>] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324 [<ffffffff855ce4cd>] dev_queue_xmit include/linux/netdevice.h:3067 [inline] [<ffffffff855ce4cd>] neigh_hh_output include/net/neighbour.h:529 [inline] [<f ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2023-52796 is a vulnerability identified in the Linux kernel's ipvlan network driver, specifically related to the handling of outbound IPv6 routing in stacked ipvlan devices. The issue arises from excessive stack usage in the ipvlan_process_v6_outbound() function, which was triggered by syzbot fuzzing reports involving multiple stacked ipvlan devices. The vulnerability manifests as a stack overflow condition where the kernel's stack guard page is hit, indicating a potential stack buffer overflow or stack exhaustion. The root cause is the large stack allocation for the flowi6 struct used during route lookups, which was mitigated by refactoring the code to move this allocation into a non-inlined helper function (ipvlan_route_v6_outbound()), thereby reducing stack usage. Additionally, the ipvlan_process_v4_outbound() function was modified to prevent inlining, and there is consideration to lower the maximum number of nested ipvlan devices (MAX_NEST_DEV) since setups with more than four stacked devices are rare and primarily used by fuzzing tools. The vulnerability is triggered under specific conditions involving multiple stacked ipvlan devices and outbound IPv6 traffic processing. The kernel crash logs indicate a kernel address sanitizer (KASAN) detection of a stack guard page violation, which would lead to a denial of service (kernel panic or crash). There is no evidence of known exploits in the wild, and no CVSS score has been assigned yet. The vulnerability affects Linux kernel versions around 6.1.52-syzkaller and potentially other versions using the affected ipvlan code paths. This vulnerability is primarily a stability and availability risk due to kernel crashes caused by stack overflow in network packet processing.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with ipvlan network drivers configured with multiple stacked ipvlan devices, especially in environments utilizing IPv6 extensively. Such configurations are more common in advanced network virtualization, container orchestration platforms, and cloud infrastructure deployments. The impact includes potential denial of service due to kernel crashes, which can disrupt critical network services, cloud workloads, and containerized applications. Organizations relying on Linux-based network virtualization or container networking that use ipvlan may experience service outages or degraded performance. Although there is no indication of privilege escalation or remote code execution, the availability impact can be significant in production environments. Given the increasing adoption of IPv6 in Europe and the widespread use of Linux in enterprise and cloud infrastructure, the vulnerability could affect data centers, telecom providers, and enterprises with complex network setups. However, the requirement for multiple stacked ipvlan devices and the specific triggering conditions limit the scope of impact to specialized deployments rather than general Linux users.
Mitigation Recommendations
1. Apply the latest Linux kernel patches that address this vulnerability as soon as they become available from trusted sources or Linux distributions. Monitor vendor advisories for updated kernel packages. 2. Review and limit the use of stacked ipvlan devices in network configurations, especially avoiding setups with more than four nested ipvlan devices unless absolutely necessary. 3. If possible, temporarily disable or avoid using ipvlan stacking features in IPv6 environments until patches are applied. 4. Implement kernel hardening and runtime protections such as Kernel Address Sanitizer (KASAN) and stack guard pages to detect and mitigate stack overflows during development and testing phases. 5. Conduct thorough testing of network virtualization configurations involving ipvlan devices under IPv6 traffic to identify potential instability. 6. Maintain robust monitoring and alerting for kernel panics or crashes related to network drivers to enable rapid incident response. 7. For container orchestration platforms, consider alternative network drivers or plugins that do not rely on ipvlan stacking if feasible. 8. Engage with Linux distribution security teams to ensure timely updates and backports for affected kernel versions.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-21T15:19:24.246Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9830c4522896dcbe75b7
Added to database: 5/21/2025, 9:09:04 AM
Last enriched: 7/1/2025, 7:11:10 AM
Last updated: 8/6/2025, 6:39:00 PM
Views: 12
Related Threats
CVE-2025-52621: CWE-346 Origin Validation Error in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52620: CWE-20 Improper Input Validation in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52619: CWE-209 Generation of Error Message Containing Sensitive Information in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52618: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in HCL Software BigFix SaaS Remediate
MediumCVE-2025-43201: An app may be able to unexpectedly leak a user's credentials in Apple Apple Music Classical for Android
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.