CVE-2023-53075: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix invalid address access in lookup_rec() when index is 0 KASAN reported follow problem: BUG: KASAN: use-after-free in lookup_rec Read of size 8 at addr ffff000199270ff0 by task modprobe CPU: 2 Comm: modprobe Call trace: kasan_report __asan_load8 lookup_rec ftrace_location arch_check_ftrace_location check_kprobe_address_safe register_kprobe When checking pg->records[pg->index - 1].ip in lookup_rec(), it can get a pg which is newly added to ftrace_pages_start in ftrace_process_locs(). Before the first pg->index++, index is 0 and accessing pg->records[-1].ip will cause this problem. Don't check the ip when pg->index is 0.
AI Analysis
Technical Summary
CVE-2023-53075 is a vulnerability identified in the Linux kernel's ftrace subsystem, specifically within the lookup_rec() function. The flaw arises due to an invalid memory access when the index variable is zero. The kernel's Kernel Address Sanitizer (KASAN) detected a use-after-free condition where lookup_rec() attempts to access pg->records[pg->index - 1].ip without verifying if pg->index is greater than zero. When pg->index is zero, this results in an out-of-bounds read from pg->records[-1], leading to undefined behavior and potential kernel memory corruption. The vulnerability is triggered during the registration of kernel probes (kprobes) via the modprobe process, which is responsible for loading kernel modules. The root cause is that the code does not properly check the index before accessing the records array, allowing an invalid address access. The fix involves adding a condition to skip the ip check when pg->index is zero, preventing the negative index access. This vulnerability affects multiple versions of the Linux kernel as indicated by the repeated commit hashes, suggesting a widespread issue in the affected kernel branches. No known exploits are reported in the wild at the time of publication, and no CVSS score has been assigned yet. However, the vulnerability is critical because it involves kernel memory corruption, which can lead to system crashes or privilege escalation if exploited. The vulnerability requires local code execution context (e.g., modprobe or kernel module loading) to trigger the flaw, which somewhat limits remote exploitation but still poses a significant risk in multi-user or containerized environments where untrusted users can load kernel modules or interact with kprobes.
Potential Impact
For European organizations, the impact of CVE-2023-53075 can be substantial, especially for those relying heavily on Linux-based infrastructure, including servers, cloud environments, and embedded systems. Exploitation of this vulnerability could lead to kernel crashes (denial of service), system instability, or potentially privilege escalation, allowing attackers to gain root-level access. This could compromise confidentiality, integrity, and availability of critical systems and data. Organizations in sectors such as finance, telecommunications, government, and critical infrastructure, which often use Linux servers and containers, are particularly at risk. The vulnerability could be exploited by malicious insiders or attackers who have gained limited access to the system to escalate privileges or disrupt services. Additionally, the vulnerability could affect cloud service providers and hosting companies operating Linux-based platforms, impacting a wide range of European customers. The lack of known exploits currently reduces immediate risk, but the presence of a kernel-level memory corruption bug means that attackers may develop exploits in the future, increasing the threat level. The vulnerability also poses a risk to embedded Linux devices used in industrial control systems and IoT deployments common in Europe, potentially affecting operational technology environments.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernel versions as soon as updates become available from their Linux distribution vendors. Since the vulnerability is in the kernel's ftrace subsystem, updating to the fixed kernel version that includes the patch for CVE-2023-53075 is the most effective mitigation. Organizations should also audit and restrict the ability to load kernel modules and use kprobes to trusted administrators only, minimizing the attack surface. Implementing strict access controls and monitoring for unusual modprobe or kprobe activity can help detect exploitation attempts. For containerized environments, ensure that containers do not have privileges to load kernel modules or interact with kernel tracing facilities. Employ kernel hardening techniques such as Kernel Page Table Isolation (KPTI), SELinux/AppArmor policies, and seccomp filters to reduce the impact of potential kernel exploits. Regularly review and update security policies related to kernel module loading and tracing. Additionally, organizations should maintain comprehensive logging and alerting for kernel-related errors and crashes to quickly identify exploitation attempts. Finally, conduct security awareness training for system administrators on the risks of kernel vulnerabilities and the importance of timely patching.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2023-53075: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix invalid address access in lookup_rec() when index is 0 KASAN reported follow problem: BUG: KASAN: use-after-free in lookup_rec Read of size 8 at addr ffff000199270ff0 by task modprobe CPU: 2 Comm: modprobe Call trace: kasan_report __asan_load8 lookup_rec ftrace_location arch_check_ftrace_location check_kprobe_address_safe register_kprobe When checking pg->records[pg->index - 1].ip in lookup_rec(), it can get a pg which is newly added to ftrace_pages_start in ftrace_process_locs(). Before the first pg->index++, index is 0 and accessing pg->records[-1].ip will cause this problem. Don't check the ip when pg->index is 0.
AI-Powered Analysis
Technical Analysis
CVE-2023-53075 is a vulnerability identified in the Linux kernel's ftrace subsystem, specifically within the lookup_rec() function. The flaw arises due to an invalid memory access when the index variable is zero. The kernel's Kernel Address Sanitizer (KASAN) detected a use-after-free condition where lookup_rec() attempts to access pg->records[pg->index - 1].ip without verifying if pg->index is greater than zero. When pg->index is zero, this results in an out-of-bounds read from pg->records[-1], leading to undefined behavior and potential kernel memory corruption. The vulnerability is triggered during the registration of kernel probes (kprobes) via the modprobe process, which is responsible for loading kernel modules. The root cause is that the code does not properly check the index before accessing the records array, allowing an invalid address access. The fix involves adding a condition to skip the ip check when pg->index is zero, preventing the negative index access. This vulnerability affects multiple versions of the Linux kernel as indicated by the repeated commit hashes, suggesting a widespread issue in the affected kernel branches. No known exploits are reported in the wild at the time of publication, and no CVSS score has been assigned yet. However, the vulnerability is critical because it involves kernel memory corruption, which can lead to system crashes or privilege escalation if exploited. The vulnerability requires local code execution context (e.g., modprobe or kernel module loading) to trigger the flaw, which somewhat limits remote exploitation but still poses a significant risk in multi-user or containerized environments where untrusted users can load kernel modules or interact with kprobes.
Potential Impact
For European organizations, the impact of CVE-2023-53075 can be substantial, especially for those relying heavily on Linux-based infrastructure, including servers, cloud environments, and embedded systems. Exploitation of this vulnerability could lead to kernel crashes (denial of service), system instability, or potentially privilege escalation, allowing attackers to gain root-level access. This could compromise confidentiality, integrity, and availability of critical systems and data. Organizations in sectors such as finance, telecommunications, government, and critical infrastructure, which often use Linux servers and containers, are particularly at risk. The vulnerability could be exploited by malicious insiders or attackers who have gained limited access to the system to escalate privileges or disrupt services. Additionally, the vulnerability could affect cloud service providers and hosting companies operating Linux-based platforms, impacting a wide range of European customers. The lack of known exploits currently reduces immediate risk, but the presence of a kernel-level memory corruption bug means that attackers may develop exploits in the future, increasing the threat level. The vulnerability also poses a risk to embedded Linux devices used in industrial control systems and IoT deployments common in Europe, potentially affecting operational technology environments.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernel versions as soon as updates become available from their Linux distribution vendors. Since the vulnerability is in the kernel's ftrace subsystem, updating to the fixed kernel version that includes the patch for CVE-2023-53075 is the most effective mitigation. Organizations should also audit and restrict the ability to load kernel modules and use kprobes to trusted administrators only, minimizing the attack surface. Implementing strict access controls and monitoring for unusual modprobe or kprobe activity can help detect exploitation attempts. For containerized environments, ensure that containers do not have privileges to load kernel modules or interact with kernel tracing facilities. Employ kernel hardening techniques such as Kernel Page Table Isolation (KPTI), SELinux/AppArmor policies, and seccomp filters to reduce the impact of potential kernel exploits. Regularly review and update security policies related to kernel module loading and tracing. Additionally, organizations should maintain comprehensive logging and alerting for kernel-related errors and crashes to quickly identify exploitation attempts. Finally, conduct security awareness training for system administrators on the risks of kernel vulnerabilities and the importance of timely patching.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-05-02T15:51:43.549Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9830c4522896dcbe6edf
Added to database: 5/21/2025, 9:09:04 AM
Last enriched: 7/1/2025, 3:58:02 AM
Last updated: 7/31/2025, 8:37:01 AM
Views: 13
Related Threats
CVE-2025-2713: CWE-269 Improper Privilege Management in Google gVisor
MediumCVE-2025-8916: CWE-770 Allocation of Resources Without Limits or Throttling in Legion of the Bouncy Castle Inc. Bouncy Castle for Java
MediumCVE-2025-8914: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in WellChoose Organization Portal System
HighCVE-2025-8913: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in WellChoose Organization Portal System
CriticalCVE-2025-8912: CWE-36 Absolute Path Traversal in WellChoose Organization Portal System
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.