CVE-2023-52886: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: USB: core: Fix race by not overwriting udev->descriptor in hub_port_init() Syzbot reported an out-of-bounds read in sysfs.c:read_descriptors(): BUG: KASAN: slab-out-of-bounds in read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883 Read of size 8 at addr ffff88801e78b8c8 by task udevd/5011 CPU: 0 PID: 5011 Comm: udevd Not tainted 6.4.0-rc6-syzkaller-00195-g40f71e7cd3c6 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106 print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351 print_report mm/kasan/report.c:462 [inline] kasan_report+0x11c/0x130 mm/kasan/report.c:572 read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883 ... Allocated by task 758: ... __do_kmalloc_node mm/slab_common.c:966 [inline] __kmalloc+0x5e/0x190 mm/slab_common.c:979 kmalloc include/linux/slab.h:563 [inline] kzalloc include/linux/slab.h:680 [inline] usb_get_configuration+0x1f7/0x5170 drivers/usb/core/config.c:887 usb_enumerate_device drivers/usb/core/hub.c:2407 [inline] usb_new_device+0x12b0/0x19d0 drivers/usb/core/hub.c:2545 As analyzed by Khazhy Kumykov, the cause of this bug is a race between read_descriptors() and hub_port_init(): The first routine uses a field in udev->descriptor, not expecting it to change, while the second overwrites it. Prior to commit 45bf39f8df7f ("USB: core: Don't hold device lock while reading the "descriptors" sysfs file") this race couldn't occur, because the routines were mutually exclusive thanks to the device locking. Removing that locking from read_descriptors() exposed it to the race. The best way to fix the bug is to keep hub_port_init() from changing udev->descriptor once udev has been initialized and registered. Drivers expect the descriptors stored in the kernel to be immutable; we should not undermine this expectation. In fact, this change should have been made long ago. So now hub_port_init() will take an additional argument, specifying a buffer in which to store the device descriptor it reads. (If udev has not yet been initialized, the buffer pointer will be NULL and then hub_port_init() will store the device descriptor in udev as before.) This eliminates the data race responsible for the out-of-bounds read. The changes to hub_port_init() appear more extensive than they really are, because of indentation changes resulting from an attempt to avoid writing to other parts of the usb_device structure after it has been initialized. Similar changes should be made to the code that reads the BOS descriptor, but that can be handled in a separate patch later on. This patch is sufficient to fix the bug found by syzbot.
AI Analysis
Technical Summary
CVE-2023-52886 is a vulnerability in the Linux kernel's USB core subsystem, specifically related to a race condition between the functions read_descriptors() and hub_port_init(). The issue arises because read_descriptors() reads from a device descriptor field (udev->descriptor) assuming it is immutable, while hub_port_init() can overwrite this field concurrently. This race condition leads to an out-of-bounds read detected by Kernel Address Sanitizer (KASAN), indicating a memory safety violation. The root cause is the removal of device locking in read_descriptors(), which previously prevented concurrent access. The fix involves modifying hub_port_init() to avoid overwriting the device descriptor in the udev structure once it has been initialized and registered. Instead, hub_port_init() now accepts an additional buffer argument to store the device descriptor separately if udev is already initialized. This change preserves the immutability expectation of device descriptors by drivers and eliminates the data race. The vulnerability was discovered and reported by Syzbot, an automated kernel fuzzer, and analyzed by Khazhy Kumykov. The bug affects multiple Linux kernel versions prior to the fix and is related to USB device enumeration and sysfs interactions. While the vulnerability does not appear to have known exploits in the wild, it poses a risk of kernel memory corruption and potential system instability or denial of service. The patch also includes code restructuring to avoid modifying other parts of the usb_device structure after initialization, with further improvements planned for related descriptor handling code.
Potential Impact
For European organizations, this vulnerability could impact any systems running affected Linux kernel versions, particularly those that rely on USB device connectivity and enumeration. The out-of-bounds read could lead to kernel crashes, causing denial of service on critical infrastructure, servers, or endpoint devices. In environments where USB devices are frequently connected or disconnected, such as industrial control systems, office workstations, or cloud infrastructure nodes, exploitation of this race condition could disrupt operations. Although no direct privilege escalation or remote code execution is reported, kernel memory corruption vulnerabilities can sometimes be leveraged by attackers with local access to escalate privileges or bypass security controls. This risk is heightened in multi-tenant cloud environments or shared hosting providers prevalent in Europe. Additionally, the vulnerability affects the Linux kernel, which is widely used across European governments, enterprises, and service providers, increasing the potential attack surface. The lack of known exploits reduces immediate risk, but the presence of a race condition in a core kernel subsystem warrants prompt attention to prevent future exploitation attempts.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to versions that include the patch for CVE-2023-52886. Since the vulnerability stems from a race condition in USB device descriptor handling, kernel upgrades are the most effective mitigation. Organizations should: 1) Identify all systems running affected Linux kernel versions, especially those with USB device usage. 2) Apply vendor-provided kernel updates or backported patches that address this vulnerability. 3) In environments where immediate patching is not feasible, consider restricting USB device usage or implementing USB device whitelisting to reduce exposure. 4) Monitor kernel logs and system behavior for signs of memory corruption or crashes related to USB operations. 5) Employ kernel hardening features such as KASAN or other memory safety tools in testing environments to detect similar issues proactively. 6) Coordinate with Linux distribution maintainers and cloud providers to ensure timely deployment of fixes. 7) Review and update incident response plans to include scenarios involving kernel-level vulnerabilities and potential denial of service conditions. These steps go beyond generic advice by focusing on USB device management policies and leveraging kernel instrumentation tools for early detection.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain, Belgium
CVE-2023-52886: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: USB: core: Fix race by not overwriting udev->descriptor in hub_port_init() Syzbot reported an out-of-bounds read in sysfs.c:read_descriptors(): BUG: KASAN: slab-out-of-bounds in read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883 Read of size 8 at addr ffff88801e78b8c8 by task udevd/5011 CPU: 0 PID: 5011 Comm: udevd Not tainted 6.4.0-rc6-syzkaller-00195-g40f71e7cd3c6 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106 print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351 print_report mm/kasan/report.c:462 [inline] kasan_report+0x11c/0x130 mm/kasan/report.c:572 read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883 ... Allocated by task 758: ... __do_kmalloc_node mm/slab_common.c:966 [inline] __kmalloc+0x5e/0x190 mm/slab_common.c:979 kmalloc include/linux/slab.h:563 [inline] kzalloc include/linux/slab.h:680 [inline] usb_get_configuration+0x1f7/0x5170 drivers/usb/core/config.c:887 usb_enumerate_device drivers/usb/core/hub.c:2407 [inline] usb_new_device+0x12b0/0x19d0 drivers/usb/core/hub.c:2545 As analyzed by Khazhy Kumykov, the cause of this bug is a race between read_descriptors() and hub_port_init(): The first routine uses a field in udev->descriptor, not expecting it to change, while the second overwrites it. Prior to commit 45bf39f8df7f ("USB: core: Don't hold device lock while reading the "descriptors" sysfs file") this race couldn't occur, because the routines were mutually exclusive thanks to the device locking. Removing that locking from read_descriptors() exposed it to the race. The best way to fix the bug is to keep hub_port_init() from changing udev->descriptor once udev has been initialized and registered. Drivers expect the descriptors stored in the kernel to be immutable; we should not undermine this expectation. In fact, this change should have been made long ago. So now hub_port_init() will take an additional argument, specifying a buffer in which to store the device descriptor it reads. (If udev has not yet been initialized, the buffer pointer will be NULL and then hub_port_init() will store the device descriptor in udev as before.) This eliminates the data race responsible for the out-of-bounds read. The changes to hub_port_init() appear more extensive than they really are, because of indentation changes resulting from an attempt to avoid writing to other parts of the usb_device structure after it has been initialized. Similar changes should be made to the code that reads the BOS descriptor, but that can be handled in a separate patch later on. This patch is sufficient to fix the bug found by syzbot.
AI-Powered Analysis
Technical Analysis
CVE-2023-52886 is a vulnerability in the Linux kernel's USB core subsystem, specifically related to a race condition between the functions read_descriptors() and hub_port_init(). The issue arises because read_descriptors() reads from a device descriptor field (udev->descriptor) assuming it is immutable, while hub_port_init() can overwrite this field concurrently. This race condition leads to an out-of-bounds read detected by Kernel Address Sanitizer (KASAN), indicating a memory safety violation. The root cause is the removal of device locking in read_descriptors(), which previously prevented concurrent access. The fix involves modifying hub_port_init() to avoid overwriting the device descriptor in the udev structure once it has been initialized and registered. Instead, hub_port_init() now accepts an additional buffer argument to store the device descriptor separately if udev is already initialized. This change preserves the immutability expectation of device descriptors by drivers and eliminates the data race. The vulnerability was discovered and reported by Syzbot, an automated kernel fuzzer, and analyzed by Khazhy Kumykov. The bug affects multiple Linux kernel versions prior to the fix and is related to USB device enumeration and sysfs interactions. While the vulnerability does not appear to have known exploits in the wild, it poses a risk of kernel memory corruption and potential system instability or denial of service. The patch also includes code restructuring to avoid modifying other parts of the usb_device structure after initialization, with further improvements planned for related descriptor handling code.
Potential Impact
For European organizations, this vulnerability could impact any systems running affected Linux kernel versions, particularly those that rely on USB device connectivity and enumeration. The out-of-bounds read could lead to kernel crashes, causing denial of service on critical infrastructure, servers, or endpoint devices. In environments where USB devices are frequently connected or disconnected, such as industrial control systems, office workstations, or cloud infrastructure nodes, exploitation of this race condition could disrupt operations. Although no direct privilege escalation or remote code execution is reported, kernel memory corruption vulnerabilities can sometimes be leveraged by attackers with local access to escalate privileges or bypass security controls. This risk is heightened in multi-tenant cloud environments or shared hosting providers prevalent in Europe. Additionally, the vulnerability affects the Linux kernel, which is widely used across European governments, enterprises, and service providers, increasing the potential attack surface. The lack of known exploits reduces immediate risk, but the presence of a race condition in a core kernel subsystem warrants prompt attention to prevent future exploitation attempts.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to versions that include the patch for CVE-2023-52886. Since the vulnerability stems from a race condition in USB device descriptor handling, kernel upgrades are the most effective mitigation. Organizations should: 1) Identify all systems running affected Linux kernel versions, especially those with USB device usage. 2) Apply vendor-provided kernel updates or backported patches that address this vulnerability. 3) In environments where immediate patching is not feasible, consider restricting USB device usage or implementing USB device whitelisting to reduce exposure. 4) Monitor kernel logs and system behavior for signs of memory corruption or crashes related to USB operations. 5) Employ kernel hardening features such as KASAN or other memory safety tools in testing environments to detect similar issues proactively. 6) Coordinate with Linux distribution maintainers and cloud providers to ensure timely deployment of fixes. 7) Review and update incident response plans to include scenarios involving kernel-level vulnerabilities and potential denial of service conditions. These steps go beyond generic advice by focusing on USB device management policies and leveraging kernel instrumentation tools for early detection.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-21T15:35:00.782Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9821c4522896dcbdd879
Added to database: 5/21/2025, 9:08:49 AM
Last enriched: 6/28/2025, 1:41:58 AM
Last updated: 8/8/2025, 12:39:22 AM
Views: 15
Related Threats
CVE-2025-9010: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-9009: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-31961: CWE-1220 Insufficient Granularity of Access Control in HCL Software Connections
LowCVE-2025-9008: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-9007: Buffer Overflow in Tenda CH22
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.