CVE-2023-52885: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: SUNRPC: Fix UAF in svc_tcp_listen_data_ready() After the listener svc_sock is freed, and before invoking svc_tcp_accept() for the established child sock, there is a window that the newsock retaining a freed listener svc_sock in sk_user_data which cloning from parent. In the race window, if data is received on the newsock, we will observe use-after-free report in svc_tcp_listen_data_ready(). Reproduce by two tasks: 1. while :; do rpc.nfsd 0 ; rpc.nfsd; done 2. while :; do echo "" | ncat -4 127.0.0.1 2049 ; done KASAN report: ================================================================== BUG: KASAN: slab-use-after-free in svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc] Read of size 8 at addr ffff888139d96228 by task nc/102553 CPU: 7 PID: 102553 Comm: nc Not tainted 6.3.0+ #18 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Call Trace: <IRQ> dump_stack_lvl+0x33/0x50 print_address_description.constprop.0+0x27/0x310 print_report+0x3e/0x70 kasan_report+0xae/0xe0 svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc] tcp_data_queue+0x9f4/0x20e0 tcp_rcv_established+0x666/0x1f60 tcp_v4_do_rcv+0x51c/0x850 tcp_v4_rcv+0x23fc/0x2e80 ip_protocol_deliver_rcu+0x62/0x300 ip_local_deliver_finish+0x267/0x350 ip_local_deliver+0x18b/0x2d0 ip_rcv+0x2fb/0x370 __netif_receive_skb_one_core+0x166/0x1b0 process_backlog+0x24c/0x5e0 __napi_poll+0xa2/0x500 net_rx_action+0x854/0xc90 __do_softirq+0x1bb/0x5de do_softirq+0xcb/0x100 </IRQ> <TASK> ... </TASK> Allocated by task 102371: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_kmalloc+0x7b/0x90 svc_setup_socket+0x52/0x4f0 [sunrpc] svc_addsock+0x20d/0x400 [sunrpc] __write_ports_addfd+0x209/0x390 [nfsd] write_ports+0x239/0x2c0 [nfsd] nfsctl_transaction_write+0xac/0x110 [nfsd] vfs_write+0x1c3/0xae0 ksys_write+0xed/0x1c0 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc Freed by task 102551: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x2a/0x50 __kasan_slab_free+0x106/0x190 __kmem_cache_free+0x133/0x270 svc_xprt_free+0x1e2/0x350 [sunrpc] svc_xprt_destroy_all+0x25a/0x440 [sunrpc] nfsd_put+0x125/0x240 [nfsd] nfsd_svc+0x2cb/0x3c0 [nfsd] write_threads+0x1ac/0x2a0 [nfsd] nfsctl_transaction_write+0xac/0x110 [nfsd] vfs_write+0x1c3/0xae0 ksys_write+0xed/0x1c0 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc Fix the UAF by simply doing nothing in svc_tcp_listen_data_ready() if state != TCP_LISTEN, that will avoid dereferencing svsk for all child socket.
AI Analysis
Technical Summary
CVE-2023-52885 is a use-after-free (UAF) vulnerability identified in the Linux kernel's SUNRPC subsystem, specifically within the svc_tcp_listen_data_ready() function. The vulnerability arises due to a race condition between freeing a listener socket (svc_sock) and accepting a new child socket (newsock). When the listener socket is freed, the child socket inherits a reference to the freed listener in its sk_user_data field. If data is received on the child socket during this race window, the kernel attempts to access the freed memory, resulting in a use-after-free condition. This flaw was detected and reported by Kernel Address Sanitizer (KASAN), which showed slab-use-after-free errors triggered by concurrent operations involving rpc.nfsd and network connections to port 2049 (NFS). The root cause is that svc_tcp_listen_data_ready() does not verify that the socket state is TCP_LISTEN before dereferencing the listener socket pointer. The fix implemented involves adding a state check to avoid dereferencing the freed listener socket for child sockets, thereby preventing the UAF. This vulnerability affects Linux kernel versions prior to the patch and impacts systems running NFS server daemons (rpc.nfsd) that use SUNRPC over TCP. Exploitation requires sending crafted network traffic to the NFS service to trigger the race condition. While no known exploits are reported in the wild, the vulnerability could lead to kernel crashes or potentially arbitrary code execution due to memory corruption. The vulnerability is significant because the Linux kernel is widely deployed across servers, cloud infrastructure, and embedded devices, and NFS remains a common network file sharing protocol in enterprise environments.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to servers and infrastructure running Linux kernels with affected versions and providing NFS services over TCP. Exploitation could lead to denial of service via kernel crashes or, in worst cases, privilege escalation or remote code execution if attackers can leverage the use-after-free condition. This could disrupt critical business operations, especially in sectors relying on Linux-based file servers, cloud platforms, or virtualized environments. Given the prevalence of Linux in European data centers, government agencies, and enterprises, the vulnerability could affect a broad range of targets. Additionally, organizations using NFS for shared storage or legacy systems may be particularly exposed. The vulnerability's exploitation requires network access to the NFS service, so internal networks or exposed NFS endpoints are at risk. The absence of known exploits suggests limited immediate threat, but the potential impact on confidentiality, integrity, and availability is high if exploited. This could also affect compliance with European data protection regulations if service disruptions or data breaches occur.
Mitigation Recommendations
European organizations should prioritize patching Linux kernels to versions that include the fix for CVE-2023-52885. Since the vulnerability involves the SUNRPC and NFS daemons, administrators should: 1) Audit and inventory Linux systems running NFS services to identify affected kernel versions. 2) Apply vendor-provided kernel updates or backported patches promptly. 3) If immediate patching is not feasible, consider temporarily disabling NFS services or restricting access to NFS ports (TCP 2049) via network segmentation and firewall rules to limit exposure. 4) Monitor network traffic for unusual connection attempts or repeated NFS service restarts that could indicate exploitation attempts. 5) Employ kernel hardening features such as KASAN or other memory safety tools in testing environments to detect similar issues proactively. 6) Review and tighten access controls on NFS shares to minimize attack surface. 7) Engage with Linux distribution security advisories to track updates and ensure timely deployment. These measures go beyond generic advice by focusing on service-specific controls and operational practices tailored to the vulnerability's characteristics.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2023-52885: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: SUNRPC: Fix UAF in svc_tcp_listen_data_ready() After the listener svc_sock is freed, and before invoking svc_tcp_accept() for the established child sock, there is a window that the newsock retaining a freed listener svc_sock in sk_user_data which cloning from parent. In the race window, if data is received on the newsock, we will observe use-after-free report in svc_tcp_listen_data_ready(). Reproduce by two tasks: 1. while :; do rpc.nfsd 0 ; rpc.nfsd; done 2. while :; do echo "" | ncat -4 127.0.0.1 2049 ; done KASAN report: ================================================================== BUG: KASAN: slab-use-after-free in svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc] Read of size 8 at addr ffff888139d96228 by task nc/102553 CPU: 7 PID: 102553 Comm: nc Not tainted 6.3.0+ #18 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Call Trace: <IRQ> dump_stack_lvl+0x33/0x50 print_address_description.constprop.0+0x27/0x310 print_report+0x3e/0x70 kasan_report+0xae/0xe0 svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc] tcp_data_queue+0x9f4/0x20e0 tcp_rcv_established+0x666/0x1f60 tcp_v4_do_rcv+0x51c/0x850 tcp_v4_rcv+0x23fc/0x2e80 ip_protocol_deliver_rcu+0x62/0x300 ip_local_deliver_finish+0x267/0x350 ip_local_deliver+0x18b/0x2d0 ip_rcv+0x2fb/0x370 __netif_receive_skb_one_core+0x166/0x1b0 process_backlog+0x24c/0x5e0 __napi_poll+0xa2/0x500 net_rx_action+0x854/0xc90 __do_softirq+0x1bb/0x5de do_softirq+0xcb/0x100 </IRQ> <TASK> ... </TASK> Allocated by task 102371: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_kmalloc+0x7b/0x90 svc_setup_socket+0x52/0x4f0 [sunrpc] svc_addsock+0x20d/0x400 [sunrpc] __write_ports_addfd+0x209/0x390 [nfsd] write_ports+0x239/0x2c0 [nfsd] nfsctl_transaction_write+0xac/0x110 [nfsd] vfs_write+0x1c3/0xae0 ksys_write+0xed/0x1c0 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc Freed by task 102551: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x2a/0x50 __kasan_slab_free+0x106/0x190 __kmem_cache_free+0x133/0x270 svc_xprt_free+0x1e2/0x350 [sunrpc] svc_xprt_destroy_all+0x25a/0x440 [sunrpc] nfsd_put+0x125/0x240 [nfsd] nfsd_svc+0x2cb/0x3c0 [nfsd] write_threads+0x1ac/0x2a0 [nfsd] nfsctl_transaction_write+0xac/0x110 [nfsd] vfs_write+0x1c3/0xae0 ksys_write+0xed/0x1c0 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc Fix the UAF by simply doing nothing in svc_tcp_listen_data_ready() if state != TCP_LISTEN, that will avoid dereferencing svsk for all child socket.
AI-Powered Analysis
Technical Analysis
CVE-2023-52885 is a use-after-free (UAF) vulnerability identified in the Linux kernel's SUNRPC subsystem, specifically within the svc_tcp_listen_data_ready() function. The vulnerability arises due to a race condition between freeing a listener socket (svc_sock) and accepting a new child socket (newsock). When the listener socket is freed, the child socket inherits a reference to the freed listener in its sk_user_data field. If data is received on the child socket during this race window, the kernel attempts to access the freed memory, resulting in a use-after-free condition. This flaw was detected and reported by Kernel Address Sanitizer (KASAN), which showed slab-use-after-free errors triggered by concurrent operations involving rpc.nfsd and network connections to port 2049 (NFS). The root cause is that svc_tcp_listen_data_ready() does not verify that the socket state is TCP_LISTEN before dereferencing the listener socket pointer. The fix implemented involves adding a state check to avoid dereferencing the freed listener socket for child sockets, thereby preventing the UAF. This vulnerability affects Linux kernel versions prior to the patch and impacts systems running NFS server daemons (rpc.nfsd) that use SUNRPC over TCP. Exploitation requires sending crafted network traffic to the NFS service to trigger the race condition. While no known exploits are reported in the wild, the vulnerability could lead to kernel crashes or potentially arbitrary code execution due to memory corruption. The vulnerability is significant because the Linux kernel is widely deployed across servers, cloud infrastructure, and embedded devices, and NFS remains a common network file sharing protocol in enterprise environments.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to servers and infrastructure running Linux kernels with affected versions and providing NFS services over TCP. Exploitation could lead to denial of service via kernel crashes or, in worst cases, privilege escalation or remote code execution if attackers can leverage the use-after-free condition. This could disrupt critical business operations, especially in sectors relying on Linux-based file servers, cloud platforms, or virtualized environments. Given the prevalence of Linux in European data centers, government agencies, and enterprises, the vulnerability could affect a broad range of targets. Additionally, organizations using NFS for shared storage or legacy systems may be particularly exposed. The vulnerability's exploitation requires network access to the NFS service, so internal networks or exposed NFS endpoints are at risk. The absence of known exploits suggests limited immediate threat, but the potential impact on confidentiality, integrity, and availability is high if exploited. This could also affect compliance with European data protection regulations if service disruptions or data breaches occur.
Mitigation Recommendations
European organizations should prioritize patching Linux kernels to versions that include the fix for CVE-2023-52885. Since the vulnerability involves the SUNRPC and NFS daemons, administrators should: 1) Audit and inventory Linux systems running NFS services to identify affected kernel versions. 2) Apply vendor-provided kernel updates or backported patches promptly. 3) If immediate patching is not feasible, consider temporarily disabling NFS services or restricting access to NFS ports (TCP 2049) via network segmentation and firewall rules to limit exposure. 4) Monitor network traffic for unusual connection attempts or repeated NFS service restarts that could indicate exploitation attempts. 5) Employ kernel hardening features such as KASAN or other memory safety tools in testing environments to detect similar issues proactively. 6) Review and tighten access controls on NFS shares to minimize attack surface. 7) Engage with Linux distribution security advisories to track updates and ensure timely deployment. These measures go beyond generic advice by focusing on service-specific controls and operational practices tailored to the vulnerability's characteristics.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-21T15:35:00.782Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9831c4522896dcbe783f
Added to database: 5/21/2025, 9:09:05 AM
Last enriched: 7/1/2025, 8:12:37 AM
Last updated: 8/18/2025, 11:25:05 PM
Views: 19
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.