CVE-2023-52922: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: can: bcm: Fix UAF in bcm_proc_show() BUG: KASAN: slab-use-after-free in bcm_proc_show+0x969/0xa80 Read of size 8 at addr ffff888155846230 by task cat/7862 CPU: 1 PID: 7862 Comm: cat Not tainted 6.5.0-rc1-00153-gc8746099c197 #230 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xd5/0x150 print_report+0xc1/0x5e0 kasan_report+0xba/0xf0 bcm_proc_show+0x969/0xa80 seq_read_iter+0x4f6/0x1260 seq_read+0x165/0x210 proc_reg_read+0x227/0x300 vfs_read+0x1d5/0x8d0 ksys_read+0x11e/0x240 do_syscall_64+0x35/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Allocated by task 7846: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_kmalloc+0x9e/0xa0 bcm_sendmsg+0x264b/0x44e0 sock_sendmsg+0xda/0x180 ____sys_sendmsg+0x735/0x920 ___sys_sendmsg+0x11d/0x1b0 __sys_sendmsg+0xfa/0x1d0 do_syscall_64+0x35/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 7846: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x27/0x40 ____kasan_slab_free+0x161/0x1c0 slab_free_freelist_hook+0x119/0x220 __kmem_cache_free+0xb4/0x2e0 rcu_core+0x809/0x1bd0 bcm_op is freed before procfs entry be removed in bcm_release(), this lead to bcm_proc_show() may read the freed bcm_op.
AI Analysis
Technical Summary
CVE-2023-52922 is a high-severity use-after-free (UAF) vulnerability identified in the Linux kernel's CAN (Controller Area Network) subsystem, specifically within the Broadcom (bcm) driver implementation. The vulnerability arises in the bcm_proc_show() function, which is responsible for displaying procfs entries related to the bcm driver. The root cause is that the bcm_op structure is freed prematurely before the procfs entry is removed in the bcm_release() function. This leads to bcm_proc_show() potentially accessing memory that has already been freed, causing a use-after-free condition. The vulnerability was detected through Kernel Address Sanitizer (KASAN) reports indicating slab-use-after-free errors during read operations initiated by user-space processes (e.g., the 'cat' command reading procfs entries). The call trace shows that the issue occurs during a sequence of kernel functions handling procfs reads and socket message sends. Exploiting this vulnerability could allow an attacker with local privileges (low privilege required) to execute arbitrary code in kernel space or cause a denial of service by crashing the kernel, impacting confidentiality, integrity, and availability. The CVSS v3.1 score is 7.8 (high), reflecting the vulnerability's significant impact and relatively low complexity to exploit, requiring local access but no user interaction. The vulnerability affects Linux kernel versions identified by the commit hash ffd980f976e7fd666c2e61bf8ab35107efd11828 and similar builds. No known exploits are currently reported in the wild, but the nature of the flaw and its presence in a widely used kernel subsystem make it a critical concern for systems running affected Linux kernels, especially those using the bcm CAN driver.
Potential Impact
For European organizations, this vulnerability poses a substantial risk, particularly for industries and sectors relying on Linux-based embedded systems, automotive control units, industrial automation, and IoT devices that utilize the CAN protocol and Broadcom hardware components. Exploitation could lead to privilege escalation, kernel-level code execution, or system crashes, potentially disrupting critical infrastructure, manufacturing processes, or automotive systems. Given the widespread use of Linux in enterprise servers, cloud environments, and embedded devices across Europe, the vulnerability could impact data confidentiality, system integrity, and availability. Organizations in sectors such as automotive manufacturing, industrial control systems, telecommunications, and critical infrastructure are at heightened risk. The requirement for local privileges limits remote exploitation but does not eliminate risk, as insider threats or compromised local accounts could leverage this flaw. Additionally, the vulnerability could be used as a stepping stone for further attacks within a networked environment, amplifying its impact on European enterprises and public sector entities.
Mitigation Recommendations
To mitigate CVE-2023-52922, European organizations should prioritize the following actions: 1) Apply the official Linux kernel patches that address the bcm_proc_show() use-after-free vulnerability as soon as they become available from trusted Linux distribution vendors or the upstream kernel. 2) For embedded and IoT devices using affected Linux kernels, coordinate with hardware and software vendors to obtain updated firmware or kernel versions incorporating the fix. 3) Restrict local access to systems running vulnerable kernels by enforcing strict access controls, limiting user privileges, and monitoring for suspicious local activity. 4) Implement kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in development and testing environments to detect similar memory safety issues proactively. 5) Conduct thorough audits of systems using the CAN protocol and Broadcom drivers to identify vulnerable devices and prioritize remediation. 6) Employ runtime security tools capable of detecting anomalous kernel behavior or crashes indicative of exploitation attempts. 7) Educate system administrators and security teams about the vulnerability specifics to enhance incident detection and response capabilities. These targeted measures go beyond generic patching by focusing on access control, vendor coordination, and proactive detection tailored to the vulnerability's characteristics.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Sweden, Finland, Poland, Belgium
CVE-2023-52922: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: can: bcm: Fix UAF in bcm_proc_show() BUG: KASAN: slab-use-after-free in bcm_proc_show+0x969/0xa80 Read of size 8 at addr ffff888155846230 by task cat/7862 CPU: 1 PID: 7862 Comm: cat Not tainted 6.5.0-rc1-00153-gc8746099c197 #230 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xd5/0x150 print_report+0xc1/0x5e0 kasan_report+0xba/0xf0 bcm_proc_show+0x969/0xa80 seq_read_iter+0x4f6/0x1260 seq_read+0x165/0x210 proc_reg_read+0x227/0x300 vfs_read+0x1d5/0x8d0 ksys_read+0x11e/0x240 do_syscall_64+0x35/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Allocated by task 7846: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_kmalloc+0x9e/0xa0 bcm_sendmsg+0x264b/0x44e0 sock_sendmsg+0xda/0x180 ____sys_sendmsg+0x735/0x920 ___sys_sendmsg+0x11d/0x1b0 __sys_sendmsg+0xfa/0x1d0 do_syscall_64+0x35/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 7846: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x27/0x40 ____kasan_slab_free+0x161/0x1c0 slab_free_freelist_hook+0x119/0x220 __kmem_cache_free+0xb4/0x2e0 rcu_core+0x809/0x1bd0 bcm_op is freed before procfs entry be removed in bcm_release(), this lead to bcm_proc_show() may read the freed bcm_op.
AI-Powered Analysis
Technical Analysis
CVE-2023-52922 is a high-severity use-after-free (UAF) vulnerability identified in the Linux kernel's CAN (Controller Area Network) subsystem, specifically within the Broadcom (bcm) driver implementation. The vulnerability arises in the bcm_proc_show() function, which is responsible for displaying procfs entries related to the bcm driver. The root cause is that the bcm_op structure is freed prematurely before the procfs entry is removed in the bcm_release() function. This leads to bcm_proc_show() potentially accessing memory that has already been freed, causing a use-after-free condition. The vulnerability was detected through Kernel Address Sanitizer (KASAN) reports indicating slab-use-after-free errors during read operations initiated by user-space processes (e.g., the 'cat' command reading procfs entries). The call trace shows that the issue occurs during a sequence of kernel functions handling procfs reads and socket message sends. Exploiting this vulnerability could allow an attacker with local privileges (low privilege required) to execute arbitrary code in kernel space or cause a denial of service by crashing the kernel, impacting confidentiality, integrity, and availability. The CVSS v3.1 score is 7.8 (high), reflecting the vulnerability's significant impact and relatively low complexity to exploit, requiring local access but no user interaction. The vulnerability affects Linux kernel versions identified by the commit hash ffd980f976e7fd666c2e61bf8ab35107efd11828 and similar builds. No known exploits are currently reported in the wild, but the nature of the flaw and its presence in a widely used kernel subsystem make it a critical concern for systems running affected Linux kernels, especially those using the bcm CAN driver.
Potential Impact
For European organizations, this vulnerability poses a substantial risk, particularly for industries and sectors relying on Linux-based embedded systems, automotive control units, industrial automation, and IoT devices that utilize the CAN protocol and Broadcom hardware components. Exploitation could lead to privilege escalation, kernel-level code execution, or system crashes, potentially disrupting critical infrastructure, manufacturing processes, or automotive systems. Given the widespread use of Linux in enterprise servers, cloud environments, and embedded devices across Europe, the vulnerability could impact data confidentiality, system integrity, and availability. Organizations in sectors such as automotive manufacturing, industrial control systems, telecommunications, and critical infrastructure are at heightened risk. The requirement for local privileges limits remote exploitation but does not eliminate risk, as insider threats or compromised local accounts could leverage this flaw. Additionally, the vulnerability could be used as a stepping stone for further attacks within a networked environment, amplifying its impact on European enterprises and public sector entities.
Mitigation Recommendations
To mitigate CVE-2023-52922, European organizations should prioritize the following actions: 1) Apply the official Linux kernel patches that address the bcm_proc_show() use-after-free vulnerability as soon as they become available from trusted Linux distribution vendors or the upstream kernel. 2) For embedded and IoT devices using affected Linux kernels, coordinate with hardware and software vendors to obtain updated firmware or kernel versions incorporating the fix. 3) Restrict local access to systems running vulnerable kernels by enforcing strict access controls, limiting user privileges, and monitoring for suspicious local activity. 4) Implement kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in development and testing environments to detect similar memory safety issues proactively. 5) Conduct thorough audits of systems using the CAN protocol and Broadcom drivers to identify vulnerable devices and prioritize remediation. 6) Employ runtime security tools capable of detecting anomalous kernel behavior or crashes indicative of exploitation attempts. 7) Educate system administrators and security teams about the vulnerability specifics to enhance incident detection and response capabilities. These targeted measures go beyond generic patching by focusing on access control, vendor coordination, and proactive detection tailored to the vulnerability's characteristics.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-08-21T06:07:11.018Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9831c4522896dcbe7924
Added to database: 5/21/2025, 9:09:05 AM
Last enriched: 7/3/2025, 4:12:02 AM
Last updated: 8/17/2025, 11:15:16 PM
Views: 21
Related Threats
CVE-2025-52287: n/a
UnknownCVE-2025-55581: n/a
HighCVE-2025-52085: n/a
HighCVE-2025-43760: CWE-79: Cross-site Scripting in Liferay Portal
MediumCVE-2025-55613: n/a
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.