CVE-2023-52843: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: llc: verify mac len before reading mac header LLC reads the mac header with eth_hdr without verifying that the skb has an Ethernet header. Syzbot was able to enter llc_rcv on a tun device. Tun can insert packets without mac len and with user configurable skb->protocol (passing a tun_pi header when not configuring IFF_NO_PI). BUG: KMSAN: uninit-value in llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline] BUG: KMSAN: uninit-value in llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111 llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline] llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111 llc_rcv+0xc5d/0x14a0 net/llc/llc_input.c:218 __netif_receive_skb_one_core net/core/dev.c:5523 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5637 netif_receive_skb_internal net/core/dev.c:5723 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5782 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555 tun_get_user+0x54c5/0x69c0 drivers/net/tun.c:2002 Add a mac_len test before all three eth_hdr(skb) calls under net/llc. There are further uses in include/net/llc_pdu.h. All these are protected by a test skb->protocol == ETH_P_802_2. Which does not protect against this tun scenario. But the mac_len test added in this patch in llc_fixup_skb will indirectly protect those too. That is called from llc_rcv before any other LLC code. It is tempting to just add a blanket mac_len check in llc_rcv, but not sure whether that could break valid LLC paths that do not assume an Ethernet header. 802.2 LLC may be used on top of non-802.3 protocols in principle. The below referenced commit shows that used to, on top of Token Ring. At least one of the three eth_hdr uses goes back to before the start of git history. But the one that syzbot exercises is introduced in this commit. That commit is old enough (2008), that effectively all stable kernels should receive this.
AI Analysis
Technical Summary
CVE-2023-52843 is a vulnerability identified in the Linux kernel's Logical Link Control (LLC) network protocol implementation. The flaw arises because the LLC code reads the MAC header using the eth_hdr() function without verifying that the socket buffer (skb) actually contains an Ethernet header. Specifically, the vulnerability is triggered when packets are received on a tun device, which can insert packets lacking a MAC length and with a user-configurable skb->protocol field. This scenario allows the LLC code to process malformed packets that do not have the expected Ethernet header, leading to the use of uninitialized memory values. The vulnerability was discovered through fuzzing by Syzbot, which demonstrated that the llc_rcv function could be entered with such malformed packets, causing bugs detected by Kernel Memory Sanitizer (KMSAN) such as uninitialized value usage in llc_station_ac_send_test_r and llc_station_rcv functions. The root cause is the absence of a mac_len check before calls to eth_hdr(), which assumes the presence of an Ethernet header. The patch introduced adds a mac_len verification in the llc_fixup_skb function, called early in llc_rcv, to prevent processing packets without a valid MAC header length. This fix indirectly protects other uses of eth_hdr() in the LLC code. The vulnerability affects all stable Linux kernels since at least 2008, as the problematic code dates back to before git history, with the vulnerable path introduced in a 2008 commit. The issue is subtle because LLC may be used on non-802.3 protocols (e.g., Token Ring), so a blanket mac_len check in llc_rcv was avoided to prevent breaking valid LLC paths. No known exploits are reported in the wild as of the publication date. The vulnerability is significant because it allows kernel code to operate on uninitialized memory, potentially leading to kernel crashes or undefined behavior, which could be leveraged for denial of service or privilege escalation in certain scenarios.
Potential Impact
For European organizations, the impact of CVE-2023-52843 depends on their use of Linux systems, particularly those employing tun devices or LLC protocols. Linux is widely deployed across European enterprises, government agencies, and critical infrastructure, especially in servers, networking equipment, and embedded devices. The vulnerability could lead to kernel crashes or memory corruption, resulting in denial of service conditions. In multi-tenant or cloud environments, this could disrupt services or be a vector for privilege escalation if combined with other vulnerabilities. Organizations using VPNs or virtual networking relying on tun/tap interfaces are particularly at risk. Although no active exploits are known, the long presence of this flaw means attackers could develop exploits targeting unpatched systems. The vulnerability's subtlety and kernel-level impact make it a serious concern for maintaining system stability and security. Disruption of critical services or exposure of sensitive data through kernel compromise would have significant operational and reputational consequences for European entities.
Mitigation Recommendations
European organizations should prioritize updating Linux kernels to versions that include the patch for CVE-2023-52843. Since the fix involves kernel code, applying vendor-provided kernel updates or recompiling kernels with the patch is essential. For environments where immediate patching is challenging, organizations should audit and restrict the use of tun devices and carefully monitor network interfaces that handle LLC traffic. Implementing strict access controls and network segmentation can reduce exposure. Additionally, enabling kernel memory sanitizers or runtime protection tools may help detect anomalous behavior related to this vulnerability. Network administrators should review configurations to avoid scenarios where tun devices accept packets without proper MAC headers. Security teams should monitor for unusual kernel crashes or logs indicating KMSAN warnings. Finally, integrating this vulnerability into vulnerability management and patching workflows will ensure timely remediation across all Linux-based systems.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain, Poland, Belgium, Finland
CVE-2023-52843: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: llc: verify mac len before reading mac header LLC reads the mac header with eth_hdr without verifying that the skb has an Ethernet header. Syzbot was able to enter llc_rcv on a tun device. Tun can insert packets without mac len and with user configurable skb->protocol (passing a tun_pi header when not configuring IFF_NO_PI). BUG: KMSAN: uninit-value in llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline] BUG: KMSAN: uninit-value in llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111 llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline] llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111 llc_rcv+0xc5d/0x14a0 net/llc/llc_input.c:218 __netif_receive_skb_one_core net/core/dev.c:5523 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5637 netif_receive_skb_internal net/core/dev.c:5723 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5782 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555 tun_get_user+0x54c5/0x69c0 drivers/net/tun.c:2002 Add a mac_len test before all three eth_hdr(skb) calls under net/llc. There are further uses in include/net/llc_pdu.h. All these are protected by a test skb->protocol == ETH_P_802_2. Which does not protect against this tun scenario. But the mac_len test added in this patch in llc_fixup_skb will indirectly protect those too. That is called from llc_rcv before any other LLC code. It is tempting to just add a blanket mac_len check in llc_rcv, but not sure whether that could break valid LLC paths that do not assume an Ethernet header. 802.2 LLC may be used on top of non-802.3 protocols in principle. The below referenced commit shows that used to, on top of Token Ring. At least one of the three eth_hdr uses goes back to before the start of git history. But the one that syzbot exercises is introduced in this commit. That commit is old enough (2008), that effectively all stable kernels should receive this.
AI-Powered Analysis
Technical Analysis
CVE-2023-52843 is a vulnerability identified in the Linux kernel's Logical Link Control (LLC) network protocol implementation. The flaw arises because the LLC code reads the MAC header using the eth_hdr() function without verifying that the socket buffer (skb) actually contains an Ethernet header. Specifically, the vulnerability is triggered when packets are received on a tun device, which can insert packets lacking a MAC length and with a user-configurable skb->protocol field. This scenario allows the LLC code to process malformed packets that do not have the expected Ethernet header, leading to the use of uninitialized memory values. The vulnerability was discovered through fuzzing by Syzbot, which demonstrated that the llc_rcv function could be entered with such malformed packets, causing bugs detected by Kernel Memory Sanitizer (KMSAN) such as uninitialized value usage in llc_station_ac_send_test_r and llc_station_rcv functions. The root cause is the absence of a mac_len check before calls to eth_hdr(), which assumes the presence of an Ethernet header. The patch introduced adds a mac_len verification in the llc_fixup_skb function, called early in llc_rcv, to prevent processing packets without a valid MAC header length. This fix indirectly protects other uses of eth_hdr() in the LLC code. The vulnerability affects all stable Linux kernels since at least 2008, as the problematic code dates back to before git history, with the vulnerable path introduced in a 2008 commit. The issue is subtle because LLC may be used on non-802.3 protocols (e.g., Token Ring), so a blanket mac_len check in llc_rcv was avoided to prevent breaking valid LLC paths. No known exploits are reported in the wild as of the publication date. The vulnerability is significant because it allows kernel code to operate on uninitialized memory, potentially leading to kernel crashes or undefined behavior, which could be leveraged for denial of service or privilege escalation in certain scenarios.
Potential Impact
For European organizations, the impact of CVE-2023-52843 depends on their use of Linux systems, particularly those employing tun devices or LLC protocols. Linux is widely deployed across European enterprises, government agencies, and critical infrastructure, especially in servers, networking equipment, and embedded devices. The vulnerability could lead to kernel crashes or memory corruption, resulting in denial of service conditions. In multi-tenant or cloud environments, this could disrupt services or be a vector for privilege escalation if combined with other vulnerabilities. Organizations using VPNs or virtual networking relying on tun/tap interfaces are particularly at risk. Although no active exploits are known, the long presence of this flaw means attackers could develop exploits targeting unpatched systems. The vulnerability's subtlety and kernel-level impact make it a serious concern for maintaining system stability and security. Disruption of critical services or exposure of sensitive data through kernel compromise would have significant operational and reputational consequences for European entities.
Mitigation Recommendations
European organizations should prioritize updating Linux kernels to versions that include the patch for CVE-2023-52843. Since the fix involves kernel code, applying vendor-provided kernel updates or recompiling kernels with the patch is essential. For environments where immediate patching is challenging, organizations should audit and restrict the use of tun devices and carefully monitor network interfaces that handle LLC traffic. Implementing strict access controls and network segmentation can reduce exposure. Additionally, enabling kernel memory sanitizers or runtime protection tools may help detect anomalous behavior related to this vulnerability. Network administrators should review configurations to avoid scenarios where tun devices accept packets without proper MAC headers. Security teams should monitor for unusual kernel crashes or logs indicating KMSAN warnings. Finally, integrating this vulnerability into vulnerability management and patching workflows will ensure timely remediation across all Linux-based systems.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-21T15:19:24.254Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9830c4522896dcbe76fe
Added to database: 5/21/2025, 9:09:04 AM
Last enriched: 7/1/2025, 7:42:01 AM
Last updated: 8/12/2025, 6:57:17 AM
Views: 14
Related Threats
CVE-2025-9028: SQL Injection in code-projects Online Medicine Guide
MediumCVE-2025-26709: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in ZTE F50
MediumCVE-2025-9027: SQL Injection in code-projects Online Medicine Guide
MediumCVE-2025-9026: OS Command Injection in D-Link DIR-860L
MediumCVE-2025-9025: SQL Injection in code-projects Simple Cafe Ordering System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.