CVE-2023-52995: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: riscv/kprobe: Fix instruction simulation of JALR Set kprobe at 'jalr 1140(ra)' of vfs_write results in the following crash: [ 32.092235] Unable to handle kernel access to user memory without uaccess routines at virtual address 00aaaaaad77b1170 [ 32.093115] Oops [#1] [ 32.093251] Modules linked in: [ 32.093626] CPU: 0 PID: 135 Comm: ftracetest Not tainted 6.2.0-rc2-00013-gb0aa5e5df0cb-dirty #16 [ 32.093985] Hardware name: riscv-virtio,qemu (DT) [ 32.094280] epc : ksys_read+0x88/0xd6 [ 32.094855] ra : ksys_read+0xc0/0xd6 [ 32.095016] epc : ffffffff801cda80 ra : ffffffff801cdab8 sp : ff20000000d7bdc0 [ 32.095227] gp : ffffffff80f14000 tp : ff60000080f9cb40 t0 : ffffffff80f13e80 [ 32.095500] t1 : ffffffff8000c29c t2 : ffffffff800dbc54 s0 : ff20000000d7be60 [ 32.095716] s1 : 0000000000000000 a0 : ffffffff805a64ae a1 : ffffffff80a83708 [ 32.095921] a2 : ffffffff80f160a0 a3 : 0000000000000000 a4 : f229b0afdb165300 [ 32.096171] a5 : f229b0afdb165300 a6 : ffffffff80eeebd0 a7 : 00000000000003ff [ 32.096411] s2 : ff6000007ff76800 s3 : fffffffffffffff7 s4 : 00aaaaaad77b1170 [ 32.096638] s5 : ffffffff80f160a0 s6 : ff6000007ff76800 s7 : 0000000000000030 [ 32.096865] s8 : 00ffffffc3d97be0 s9 : 0000000000000007 s10: 00aaaaaad77c9410 [ 32.097092] s11: 0000000000000000 t3 : ffffffff80f13e48 t4 : ffffffff8000c29c [ 32.097317] t5 : ffffffff8000c29c t6 : ffffffff800dbc54 [ 32.097505] status: 0000000200000120 badaddr: 00aaaaaad77b1170 cause: 000000000000000d [ 32.098011] [<ffffffff801cdb72>] ksys_write+0x6c/0xd6 [ 32.098222] [<ffffffff801cdc06>] sys_write+0x2a/0x38 [ 32.098405] [<ffffffff80003c76>] ret_from_syscall+0x0/0x2 Since the rs1 and rd might be the same one, such as 'jalr 1140(ra)', hence it requires obtaining the target address from rs1 followed by updating rd. [Palmer: Pick Guo's cleanup]
AI Analysis
Technical Summary
CVE-2023-52995 is a vulnerability identified in the Linux kernel specifically affecting the RISC-V architecture's kprobe instruction simulation for the JALR (Jump and Link Register) instruction. The issue arises when setting a kprobe at the 'jalr 1140(ra)' instruction within the vfs_write function, which leads to a kernel crash due to improper handling of kernel access to user memory without the appropriate uaccess routines. The crash manifests as an 'Oops' error indicating an inability to safely access user memory, resulting in kernel panic and system instability. The root cause is linked to the fact that the source register (rs1) and destination register (rd) in the JALR instruction can be the same, requiring careful sequencing: the target address must be obtained from rs1 before updating rd. Failure to do so leads to incorrect instruction simulation and memory access violations. This vulnerability affects Linux kernel versions containing the specified commit hashes and is relevant to RISC-V based systems running Linux kernels prior to the fix. Although no known exploits are currently reported in the wild, the vulnerability can cause denial of service through kernel crashes when kprobes are used in this manner, potentially impacting systems relying on RISC-V Linux kernels for critical operations.
Potential Impact
For European organizations, the impact of CVE-2023-52995 is primarily related to system stability and availability on RISC-V Linux deployments. While RISC-V adoption is still emerging, sectors investing in RISC-V for embedded systems, IoT devices, or specialized computing platforms could face service disruptions due to kernel crashes triggered by this vulnerability. This could affect industrial control systems, telecommunications infrastructure, or research institutions experimenting with RISC-V architectures. The vulnerability does not appear to allow privilege escalation or direct data compromise but can cause denial of service, which in critical environments may lead to operational downtime and associated financial or reputational damage. Given the lack of known exploits, the immediate risk is moderate; however, as RISC-V gains traction, the potential impact will increase. European organizations with early RISC-V deployments should prioritize patching to maintain system reliability and prevent disruption.
Mitigation Recommendations
To mitigate CVE-2023-52995, organizations should: 1) Apply the official Linux kernel patches that address the kprobe JALR instruction simulation issue as soon as they become available, ensuring their RISC-V Linux kernels are updated to versions containing the fix. 2) Avoid setting kprobes at the vulnerable 'jalr 1140(ra)' instruction or similar constructs until patched, especially in production environments. 3) Conduct thorough testing of kernel modules and probes on RISC-V platforms to detect potential crashes or instability related to this issue. 4) Monitor kernel logs for Oops or panic messages indicative of this vulnerability. 5) Engage with hardware and software vendors to confirm RISC-V Linux kernel versions in use and coordinate timely updates. 6) For organizations deploying RISC-V in critical systems, implement redundancy and failover mechanisms to minimize downtime caused by kernel crashes. These steps go beyond generic advice by focusing on the specific instruction and kernel component involved and emphasizing proactive monitoring and vendor coordination.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland
CVE-2023-52995: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: riscv/kprobe: Fix instruction simulation of JALR Set kprobe at 'jalr 1140(ra)' of vfs_write results in the following crash: [ 32.092235] Unable to handle kernel access to user memory without uaccess routines at virtual address 00aaaaaad77b1170 [ 32.093115] Oops [#1] [ 32.093251] Modules linked in: [ 32.093626] CPU: 0 PID: 135 Comm: ftracetest Not tainted 6.2.0-rc2-00013-gb0aa5e5df0cb-dirty #16 [ 32.093985] Hardware name: riscv-virtio,qemu (DT) [ 32.094280] epc : ksys_read+0x88/0xd6 [ 32.094855] ra : ksys_read+0xc0/0xd6 [ 32.095016] epc : ffffffff801cda80 ra : ffffffff801cdab8 sp : ff20000000d7bdc0 [ 32.095227] gp : ffffffff80f14000 tp : ff60000080f9cb40 t0 : ffffffff80f13e80 [ 32.095500] t1 : ffffffff8000c29c t2 : ffffffff800dbc54 s0 : ff20000000d7be60 [ 32.095716] s1 : 0000000000000000 a0 : ffffffff805a64ae a1 : ffffffff80a83708 [ 32.095921] a2 : ffffffff80f160a0 a3 : 0000000000000000 a4 : f229b0afdb165300 [ 32.096171] a5 : f229b0afdb165300 a6 : ffffffff80eeebd0 a7 : 00000000000003ff [ 32.096411] s2 : ff6000007ff76800 s3 : fffffffffffffff7 s4 : 00aaaaaad77b1170 [ 32.096638] s5 : ffffffff80f160a0 s6 : ff6000007ff76800 s7 : 0000000000000030 [ 32.096865] s8 : 00ffffffc3d97be0 s9 : 0000000000000007 s10: 00aaaaaad77c9410 [ 32.097092] s11: 0000000000000000 t3 : ffffffff80f13e48 t4 : ffffffff8000c29c [ 32.097317] t5 : ffffffff8000c29c t6 : ffffffff800dbc54 [ 32.097505] status: 0000000200000120 badaddr: 00aaaaaad77b1170 cause: 000000000000000d [ 32.098011] [<ffffffff801cdb72>] ksys_write+0x6c/0xd6 [ 32.098222] [<ffffffff801cdc06>] sys_write+0x2a/0x38 [ 32.098405] [<ffffffff80003c76>] ret_from_syscall+0x0/0x2 Since the rs1 and rd might be the same one, such as 'jalr 1140(ra)', hence it requires obtaining the target address from rs1 followed by updating rd. [Palmer: Pick Guo's cleanup]
AI-Powered Analysis
Technical Analysis
CVE-2023-52995 is a vulnerability identified in the Linux kernel specifically affecting the RISC-V architecture's kprobe instruction simulation for the JALR (Jump and Link Register) instruction. The issue arises when setting a kprobe at the 'jalr 1140(ra)' instruction within the vfs_write function, which leads to a kernel crash due to improper handling of kernel access to user memory without the appropriate uaccess routines. The crash manifests as an 'Oops' error indicating an inability to safely access user memory, resulting in kernel panic and system instability. The root cause is linked to the fact that the source register (rs1) and destination register (rd) in the JALR instruction can be the same, requiring careful sequencing: the target address must be obtained from rs1 before updating rd. Failure to do so leads to incorrect instruction simulation and memory access violations. This vulnerability affects Linux kernel versions containing the specified commit hashes and is relevant to RISC-V based systems running Linux kernels prior to the fix. Although no known exploits are currently reported in the wild, the vulnerability can cause denial of service through kernel crashes when kprobes are used in this manner, potentially impacting systems relying on RISC-V Linux kernels for critical operations.
Potential Impact
For European organizations, the impact of CVE-2023-52995 is primarily related to system stability and availability on RISC-V Linux deployments. While RISC-V adoption is still emerging, sectors investing in RISC-V for embedded systems, IoT devices, or specialized computing platforms could face service disruptions due to kernel crashes triggered by this vulnerability. This could affect industrial control systems, telecommunications infrastructure, or research institutions experimenting with RISC-V architectures. The vulnerability does not appear to allow privilege escalation or direct data compromise but can cause denial of service, which in critical environments may lead to operational downtime and associated financial or reputational damage. Given the lack of known exploits, the immediate risk is moderate; however, as RISC-V gains traction, the potential impact will increase. European organizations with early RISC-V deployments should prioritize patching to maintain system reliability and prevent disruption.
Mitigation Recommendations
To mitigate CVE-2023-52995, organizations should: 1) Apply the official Linux kernel patches that address the kprobe JALR instruction simulation issue as soon as they become available, ensuring their RISC-V Linux kernels are updated to versions containing the fix. 2) Avoid setting kprobes at the vulnerable 'jalr 1140(ra)' instruction or similar constructs until patched, especially in production environments. 3) Conduct thorough testing of kernel modules and probes on RISC-V platforms to detect potential crashes or instability related to this issue. 4) Monitor kernel logs for Oops or panic messages indicative of this vulnerability. 5) Engage with hardware and software vendors to confirm RISC-V Linux kernel versions in use and coordinate timely updates. 6) For organizations deploying RISC-V in critical systems, implement redundancy and failover mechanisms to minimize downtime caused by kernel crashes. These steps go beyond generic advice by focusing on the specific instruction and kernel component involved and emphasizing proactive monitoring and vendor coordination.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-03-27T16:40:15.742Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982fc4522896dcbe6c8e
Added to database: 5/21/2025, 9:09:03 AM
Last enriched: 7/1/2025, 2:56:42 AM
Last updated: 8/5/2025, 6:30:55 AM
Views: 18
Related Threats
CVE-2025-9000: Uncontrolled Search Path in Mechrevo Control Center GX V2
HighCVE-2025-8993: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-8992: Cross-Site Request Forgery in mtons mblog
MediumCVE-2025-8991: Business Logic Errors in linlinjava litemall
MediumCVE-2025-8990: SQL Injection in code-projects Online Medicine Guide
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.