CVE-2023-52992 is a vulnerability identified in the Linux kernel related to the Berkeley Packet Filter (BPF) subsystem, specifically within the signal sending mechanism in the function send_signal_common(). The vulnerability arises when a task with process ID (pid) 1, typically the init process (such as systemd), attaches a BPF program that attempts to send a killing signal to itself. This action triggers a kernel panic with the message "Kernel panic - not syncing: Attempted to kill init!". The kernel panic occurs because the kernel does not properly handle the case where pid=1 is targeted in the signal sending logic, leading to an unrecoverable system crash. The root cause is that the function bpf_send_signal_common() does not skip the task with pid=1, which is critical for system stability. The fix involves explicitly skipping the task with pid=1 in this function to prevent the panic. This vulnerability affects Linux kernel versions prior to the patch and can cause a denial of service (DoS) by crashing the entire system. The vulnerability does not require user interaction but does require the ability to attach BPF programs and send signals, which typically implies some level of privilege or capability. There are no known exploits in the wild at the time of publication, and no CVSS score has been assigned yet. The vulnerability was publicly disclosed on March 27, 2025.

For European organizations, this vulnerability poses a significant risk primarily in environments running vulnerable Linux kernel versions, especially on servers and critical infrastructure systems where systemd or similar init systems are used. A successful exploitation leads to a kernel panic and system crash, resulting in denial of service. This can disrupt business operations, cause downtime, and potentially lead to data loss if systems are not properly backed up or if the crash occurs during critical operations. Systems that rely heavily on BPF for monitoring, networking, or security functions may be more exposed. The impact is particularly severe for data centers, cloud providers, and enterprises with Linux-based infrastructure, as the init process is fundamental to system operation. Recovery from such a crash requires system reboot, which may not be feasible in high-availability environments without redundancy. Although exploitation requires the ability to attach BPF programs and send signals, which is typically restricted, insider threats or compromised privileged accounts could leverage this vulnerability. The lack of known exploits reduces immediate risk but does not eliminate the potential for future attacks.

European organizations should promptly apply the official Linux kernel patches that address this vulnerability by skipping the task with pid=1 in bpf_send_signal_common(). Until patches are applied, organizations should restrict the ability to load or attach BPF programs to trusted and highly privileged users only, minimizing the attack surface. Implement strict access controls and monitoring on systems that allow BPF program loading, including audit logging of BPF-related activities. Employ kernel lockdown features or security modules (e.g., SELinux, AppArmor) to enforce policies that prevent unauthorized BPF program attachment. Regularly update and maintain Linux kernel versions to incorporate security fixes. In environments where patching is delayed, consider isolating critical systems or using kernel live patching solutions if available. Additionally, ensure robust incident response and recovery plans are in place to handle potential system crashes and minimize downtime.