CVE-2023-52975: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: scsi: iscsi_tcp: Fix UAF during logout when accessing the shost ipaddress Bug report and analysis from Ding Hui. During iSCSI session logout, if another task accesses the shost ipaddress attr, we can get a KASAN UAF report like this: [ 276.942144] BUG: KASAN: use-after-free in _raw_spin_lock_bh+0x78/0xe0 [ 276.942535] Write of size 4 at addr ffff8881053b45b8 by task cat/4088 [ 276.943511] CPU: 2 PID: 4088 Comm: cat Tainted: G E 6.1.0-rc8+ #3 [ 276.943997] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 [ 276.944470] Call Trace: [ 276.944943] <TASK> [ 276.945397] dump_stack_lvl+0x34/0x48 [ 276.945887] print_address_description.constprop.0+0x86/0x1e7 [ 276.946421] print_report+0x36/0x4f [ 276.947358] kasan_report+0xad/0x130 [ 276.948234] kasan_check_range+0x35/0x1c0 [ 276.948674] _raw_spin_lock_bh+0x78/0xe0 [ 276.949989] iscsi_sw_tcp_host_get_param+0xad/0x2e0 [iscsi_tcp] [ 276.951765] show_host_param_ISCSI_HOST_PARAM_IPADDRESS+0xe9/0x130 [scsi_transport_iscsi] [ 276.952185] dev_attr_show+0x3f/0x80 [ 276.953005] sysfs_kf_seq_show+0x1fb/0x3e0 [ 276.953401] seq_read_iter+0x402/0x1020 [ 276.954260] vfs_read+0x532/0x7b0 [ 276.955113] ksys_read+0xed/0x1c0 [ 276.955952] do_syscall_64+0x38/0x90 [ 276.956347] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 276.956769] RIP: 0033:0x7f5d3a679222 [ 276.957161] Code: c0 e9 b2 fe ff ff 50 48 8d 3d 32 c0 0b 00 e8 a5 fe 01 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24 [ 276.958009] RSP: 002b:00007ffc864d16a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 276.958431] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5d3a679222 [ 276.958857] RDX: 0000000000020000 RSI: 00007f5d3a4fe000 RDI: 0000000000000003 [ 276.959281] RBP: 00007f5d3a4fe000 R08: 00000000ffffffff R09: 0000000000000000 [ 276.959682] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000020000 [ 276.960126] R13: 0000000000000003 R14: 0000000000000000 R15: 0000557a26dada58 [ 276.960536] </TASK> [ 276.961357] Allocated by task 2209: [ 276.961756] kasan_save_stack+0x1e/0x40 [ 276.962170] kasan_set_track+0x21/0x30 [ 276.962557] __kasan_kmalloc+0x7e/0x90 [ 276.962923] __kmalloc+0x5b/0x140 [ 276.963308] iscsi_alloc_session+0x28/0x840 [scsi_transport_iscsi] [ 276.963712] iscsi_session_setup+0xda/0xba0 [libiscsi] [ 276.964078] iscsi_sw_tcp_session_create+0x1fd/0x330 [iscsi_tcp] [ 276.964431] iscsi_if_create_session.isra.0+0x50/0x260 [scsi_transport_iscsi] [ 276.964793] iscsi_if_recv_msg+0xc5a/0x2660 [scsi_transport_iscsi] [ 276.965153] iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi] [ 276.965546] netlink_unicast+0x4d5/0x7b0 [ 276.965905] netlink_sendmsg+0x78d/0xc30 [ 276.966236] sock_sendmsg+0xe5/0x120 [ 276.966576] ____sys_sendmsg+0x5fe/0x860 [ 276.966923] ___sys_sendmsg+0xe0/0x170 [ 276.967300] __sys_sendmsg+0xc8/0x170 [ 276.967666] do_syscall_64+0x38/0x90 [ 276.968028] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 276.968773] Freed by task 2209: [ 276.969111] kasan_save_stack+0x1e/0x40 [ 276.969449] kasan_set_track+0x21/0x30 [ 276.969789] kasan_save_free_info+0x2a/0x50 [ 276.970146] __kasan_slab_free+0x106/0x190 [ 276.970470] __kmem_cache_free+0x133/0x270 [ 276.970816] device_release+0x98/0x210 [ 276.971145] kobject_cleanup+0x101/0x360 [ 276.971462] iscsi_session_teardown+0x3fb/0x530 [libiscsi] [ 276.971775] iscsi_sw_tcp_session_destroy+0xd8/0x130 [iscsi_tcp] [ 276.972143] iscsi_if_recv_msg+0x1bf1/0x2660 [scsi_transport_iscsi] [ 276.972485] iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi] [ 276.972808] netlink_unicast+0x4d5/0x7b0 [ 276.973201] netlink_sendmsg+0x78d/0xc30 [ 276.973544] sock_sendmsg+0xe5/0x120 [ 276.973864] ____sys_sendmsg+0x5fe/0x860 [ 276.974248] ___sys_ ---truncated---
AI Analysis
Technical Summary
CVE-2023-52975 is a high-severity use-after-free (UAF) vulnerability identified in the Linux kernel's iSCSI TCP transport layer. The flaw occurs during the iSCSI session logout process, specifically when accessing the SCSI host's (shost) IP address attribute. The vulnerability arises because if another task accesses the shost ipaddress attribute concurrently during logout, it can trigger a use-after-free condition. This is detected by Kernel Address Sanitizer (KASAN) as an invalid memory access, potentially leading to kernel crashes or arbitrary code execution. The vulnerability is rooted in improper synchronization and memory management within the iscsi_tcp module, where the session teardown frees resources that may still be accessed by other tasks. The kernel log excerpts show detailed stack traces indicating the UAF triggered in the _raw_spin_lock_bh function, with the use of iscsi_tcp and scsi_transport_iscsi modules. The vulnerability is tracked as CWE-416 (Use After Free) and has been assigned a CVSS v3.1 score of 7.8, reflecting high impact on confidentiality, integrity, and availability. Exploitation requires local privileges (AV:L), low attack complexity (AC:L), and privileges (PR:L), but no user interaction (UI:N). No known exploits are currently reported in the wild. The vulnerability affects Linux kernel versions containing the iscsi_tcp transport implementation, which is widely used in enterprise environments for storage networking over IP. The patch details are not provided in the source, but the issue has been resolved in recent kernel updates. This vulnerability could be leveraged by a local attacker or malicious process to escalate privileges, cause denial of service, or potentially execute arbitrary code in kernel context by exploiting the use-after-free condition during iSCSI session logout.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially to enterprises relying on Linux-based servers and storage infrastructure utilizing iSCSI for SAN (Storage Area Network) connectivity. The use-after-free flaw can lead to kernel crashes causing denial of service, impacting availability of critical services. More critically, it could allow local attackers or compromised processes to escalate privileges to kernel level, threatening confidentiality and integrity of sensitive data. Organizations in sectors such as finance, healthcare, telecommunications, and government, which often deploy Linux servers with iSCSI storage, may face operational disruptions and data breaches if exploited. The impact is heightened in virtualized environments (e.g., VMware) where multiple tenants share hardware, increasing the attack surface. Given the low complexity of exploitation and absence of required user interaction, the vulnerability could be exploited by insiders or malware with limited privileges. The lack of known exploits in the wild currently reduces immediate risk but patching is urgent to prevent future exploitation. Failure to address this vulnerability could lead to compliance violations under GDPR and other data protection regulations due to potential unauthorized access or data loss.
Mitigation Recommendations
European organizations should prioritize updating Linux kernels to versions where CVE-2023-52975 is patched. Since the vulnerability resides in the iscsi_tcp kernel module, kernel updates from trusted Linux distributions (e.g., Debian, Ubuntu, Red Hat, SUSE) should be applied promptly. Organizations using custom or embedded Linux kernels must backport the fix or upgrade accordingly. Additionally, auditing and restricting local user privileges can reduce exploitation risk, as the vulnerability requires local access with some privileges. Monitoring kernel logs for KASAN or related error messages can help detect attempted exploitation or unstable systems. Disabling iSCSI TCP transport temporarily may be considered in environments where iSCSI is not critical, to mitigate exposure. Implementing strict access controls and isolating critical storage networks can limit attacker movement. Regular vulnerability scanning and penetration testing should include checks for this vulnerability. Finally, organizations should maintain incident response readiness to quickly address any exploitation attempts.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2023-52975: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: scsi: iscsi_tcp: Fix UAF during logout when accessing the shost ipaddress Bug report and analysis from Ding Hui. During iSCSI session logout, if another task accesses the shost ipaddress attr, we can get a KASAN UAF report like this: [ 276.942144] BUG: KASAN: use-after-free in _raw_spin_lock_bh+0x78/0xe0 [ 276.942535] Write of size 4 at addr ffff8881053b45b8 by task cat/4088 [ 276.943511] CPU: 2 PID: 4088 Comm: cat Tainted: G E 6.1.0-rc8+ #3 [ 276.943997] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 [ 276.944470] Call Trace: [ 276.944943] <TASK> [ 276.945397] dump_stack_lvl+0x34/0x48 [ 276.945887] print_address_description.constprop.0+0x86/0x1e7 [ 276.946421] print_report+0x36/0x4f [ 276.947358] kasan_report+0xad/0x130 [ 276.948234] kasan_check_range+0x35/0x1c0 [ 276.948674] _raw_spin_lock_bh+0x78/0xe0 [ 276.949989] iscsi_sw_tcp_host_get_param+0xad/0x2e0 [iscsi_tcp] [ 276.951765] show_host_param_ISCSI_HOST_PARAM_IPADDRESS+0xe9/0x130 [scsi_transport_iscsi] [ 276.952185] dev_attr_show+0x3f/0x80 [ 276.953005] sysfs_kf_seq_show+0x1fb/0x3e0 [ 276.953401] seq_read_iter+0x402/0x1020 [ 276.954260] vfs_read+0x532/0x7b0 [ 276.955113] ksys_read+0xed/0x1c0 [ 276.955952] do_syscall_64+0x38/0x90 [ 276.956347] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 276.956769] RIP: 0033:0x7f5d3a679222 [ 276.957161] Code: c0 e9 b2 fe ff ff 50 48 8d 3d 32 c0 0b 00 e8 a5 fe 01 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24 [ 276.958009] RSP: 002b:00007ffc864d16a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 276.958431] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5d3a679222 [ 276.958857] RDX: 0000000000020000 RSI: 00007f5d3a4fe000 RDI: 0000000000000003 [ 276.959281] RBP: 00007f5d3a4fe000 R08: 00000000ffffffff R09: 0000000000000000 [ 276.959682] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000020000 [ 276.960126] R13: 0000000000000003 R14: 0000000000000000 R15: 0000557a26dada58 [ 276.960536] </TASK> [ 276.961357] Allocated by task 2209: [ 276.961756] kasan_save_stack+0x1e/0x40 [ 276.962170] kasan_set_track+0x21/0x30 [ 276.962557] __kasan_kmalloc+0x7e/0x90 [ 276.962923] __kmalloc+0x5b/0x140 [ 276.963308] iscsi_alloc_session+0x28/0x840 [scsi_transport_iscsi] [ 276.963712] iscsi_session_setup+0xda/0xba0 [libiscsi] [ 276.964078] iscsi_sw_tcp_session_create+0x1fd/0x330 [iscsi_tcp] [ 276.964431] iscsi_if_create_session.isra.0+0x50/0x260 [scsi_transport_iscsi] [ 276.964793] iscsi_if_recv_msg+0xc5a/0x2660 [scsi_transport_iscsi] [ 276.965153] iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi] [ 276.965546] netlink_unicast+0x4d5/0x7b0 [ 276.965905] netlink_sendmsg+0x78d/0xc30 [ 276.966236] sock_sendmsg+0xe5/0x120 [ 276.966576] ____sys_sendmsg+0x5fe/0x860 [ 276.966923] ___sys_sendmsg+0xe0/0x170 [ 276.967300] __sys_sendmsg+0xc8/0x170 [ 276.967666] do_syscall_64+0x38/0x90 [ 276.968028] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 276.968773] Freed by task 2209: [ 276.969111] kasan_save_stack+0x1e/0x40 [ 276.969449] kasan_set_track+0x21/0x30 [ 276.969789] kasan_save_free_info+0x2a/0x50 [ 276.970146] __kasan_slab_free+0x106/0x190 [ 276.970470] __kmem_cache_free+0x133/0x270 [ 276.970816] device_release+0x98/0x210 [ 276.971145] kobject_cleanup+0x101/0x360 [ 276.971462] iscsi_session_teardown+0x3fb/0x530 [libiscsi] [ 276.971775] iscsi_sw_tcp_session_destroy+0xd8/0x130 [iscsi_tcp] [ 276.972143] iscsi_if_recv_msg+0x1bf1/0x2660 [scsi_transport_iscsi] [ 276.972485] iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi] [ 276.972808] netlink_unicast+0x4d5/0x7b0 [ 276.973201] netlink_sendmsg+0x78d/0xc30 [ 276.973544] sock_sendmsg+0xe5/0x120 [ 276.973864] ____sys_sendmsg+0x5fe/0x860 [ 276.974248] ___sys_ ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2023-52975 is a high-severity use-after-free (UAF) vulnerability identified in the Linux kernel's iSCSI TCP transport layer. The flaw occurs during the iSCSI session logout process, specifically when accessing the SCSI host's (shost) IP address attribute. The vulnerability arises because if another task accesses the shost ipaddress attribute concurrently during logout, it can trigger a use-after-free condition. This is detected by Kernel Address Sanitizer (KASAN) as an invalid memory access, potentially leading to kernel crashes or arbitrary code execution. The vulnerability is rooted in improper synchronization and memory management within the iscsi_tcp module, where the session teardown frees resources that may still be accessed by other tasks. The kernel log excerpts show detailed stack traces indicating the UAF triggered in the _raw_spin_lock_bh function, with the use of iscsi_tcp and scsi_transport_iscsi modules. The vulnerability is tracked as CWE-416 (Use After Free) and has been assigned a CVSS v3.1 score of 7.8, reflecting high impact on confidentiality, integrity, and availability. Exploitation requires local privileges (AV:L), low attack complexity (AC:L), and privileges (PR:L), but no user interaction (UI:N). No known exploits are currently reported in the wild. The vulnerability affects Linux kernel versions containing the iscsi_tcp transport implementation, which is widely used in enterprise environments for storage networking over IP. The patch details are not provided in the source, but the issue has been resolved in recent kernel updates. This vulnerability could be leveraged by a local attacker or malicious process to escalate privileges, cause denial of service, or potentially execute arbitrary code in kernel context by exploiting the use-after-free condition during iSCSI session logout.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially to enterprises relying on Linux-based servers and storage infrastructure utilizing iSCSI for SAN (Storage Area Network) connectivity. The use-after-free flaw can lead to kernel crashes causing denial of service, impacting availability of critical services. More critically, it could allow local attackers or compromised processes to escalate privileges to kernel level, threatening confidentiality and integrity of sensitive data. Organizations in sectors such as finance, healthcare, telecommunications, and government, which often deploy Linux servers with iSCSI storage, may face operational disruptions and data breaches if exploited. The impact is heightened in virtualized environments (e.g., VMware) where multiple tenants share hardware, increasing the attack surface. Given the low complexity of exploitation and absence of required user interaction, the vulnerability could be exploited by insiders or malware with limited privileges. The lack of known exploits in the wild currently reduces immediate risk but patching is urgent to prevent future exploitation. Failure to address this vulnerability could lead to compliance violations under GDPR and other data protection regulations due to potential unauthorized access or data loss.
Mitigation Recommendations
European organizations should prioritize updating Linux kernels to versions where CVE-2023-52975 is patched. Since the vulnerability resides in the iscsi_tcp kernel module, kernel updates from trusted Linux distributions (e.g., Debian, Ubuntu, Red Hat, SUSE) should be applied promptly. Organizations using custom or embedded Linux kernels must backport the fix or upgrade accordingly. Additionally, auditing and restricting local user privileges can reduce exploitation risk, as the vulnerability requires local access with some privileges. Monitoring kernel logs for KASAN or related error messages can help detect attempted exploitation or unstable systems. Disabling iSCSI TCP transport temporarily may be considered in environments where iSCSI is not critical, to mitigate exposure. Implementing strict access controls and isolating critical storage networks can limit attacker movement. Regular vulnerability scanning and penetration testing should include checks for this vulnerability. Finally, organizations should maintain incident response readiness to quickly address any exploitation attempts.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-03-27T16:40:15.737Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d982fc4522896dcbe6c1c
Added to database: 5/21/2025, 9:09:03 AM
Last enriched: 7/3/2025, 3:55:17 AM
Last updated: 8/11/2025, 7:35:33 PM
Views: 15
Related Threats
CVE-2025-8952: SQL Injection in Campcodes Online Flight Booking Management System
MediumCVE-2025-8951: SQL Injection in PHPGurukul Teachers Record Management System
MediumCVE-2025-8950: SQL Injection in Campcodes Online Recruitment Management System
MediumCVE-2025-27388: CWE-20 Improper Input Validation in OPPO OPPO HEALTH APP
HighCVE-2025-8949: Stack-based Buffer Overflow in D-Link DIR-825
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.