CVE-2023-53093: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: tracing: Do not let histogram values have some modifiers Histogram values can not be strings, stacktraces, graphs, symbols, syscalls, or grouped in buckets or log. Give an error if a value is set to do so. Note, the histogram code was not prepared to handle these modifiers for histograms and caused a bug. Mark Rutland reported: # echo 'p:copy_to_user __arch_copy_to_user n=$arg2' >> /sys/kernel/tracing/kprobe_events # echo 'hist:keys=n:vals=hitcount.buckets=8:sort=hitcount' > /sys/kernel/tracing/events/kprobes/copy_to_user/trigger # cat /sys/kernel/tracing/events/kprobes/copy_to_user/hist [ 143.694628] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 143.695190] Mem abort info: [ 143.695362] ESR = 0x0000000096000004 [ 143.695604] EC = 0x25: DABT (current EL), IL = 32 bits [ 143.695889] SET = 0, FnV = 0 [ 143.696077] EA = 0, S1PTW = 0 [ 143.696302] FSC = 0x04: level 0 translation fault [ 143.702381] Data abort info: [ 143.702614] ISV = 0, ISS = 0x00000004 [ 143.702832] CM = 0, WnR = 0 [ 143.703087] user pgtable: 4k pages, 48-bit VAs, pgdp=00000000448f9000 [ 143.703407] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 [ 143.704137] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 143.704714] Modules linked in: [ 143.705273] CPU: 0 PID: 133 Comm: cat Not tainted 6.2.0-00003-g6fc512c10a7c #3 [ 143.706138] Hardware name: linux,dummy-virt (DT) [ 143.706723] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 143.707120] pc : hist_field_name.part.0+0x14/0x140 [ 143.707504] lr : hist_field_name.part.0+0x104/0x140 [ 143.707774] sp : ffff800008333a30 [ 143.707952] x29: ffff800008333a30 x28: 0000000000000001 x27: 0000000000400cc0 [ 143.708429] x26: ffffd7a653b20260 x25: 0000000000000000 x24: ffff10d303ee5800 [ 143.708776] x23: ffffd7a6539b27b0 x22: ffff10d303fb8c00 x21: 0000000000000001 [ 143.709127] x20: ffff10d303ec2000 x19: 0000000000000000 x18: 0000000000000000 [ 143.709478] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [ 143.709824] x14: 0000000000000000 x13: 203a6f666e692072 x12: 6567676972742023 [ 143.710179] x11: 0a230a6d6172676f x10: 000000000000002c x9 : ffffd7a6521e018c [ 143.710584] x8 : 000000000000002c x7 : 7f7f7f7f7f7f7f7f x6 : 000000000000002c [ 143.710915] x5 : ffff10d303b0103e x4 : ffffd7a653b20261 x3 : 000000000000003d [ 143.711239] x2 : 0000000000020001 x1 : 0000000000000001 x0 : 0000000000000000 [ 143.711746] Call trace: [ 143.712115] hist_field_name.part.0+0x14/0x140 [ 143.712642] hist_field_name.part.0+0x104/0x140 [ 143.712925] hist_field_print+0x28/0x140 [ 143.713125] event_hist_trigger_print+0x174/0x4d0 [ 143.713348] hist_show+0xf8/0x980 [ 143.713521] seq_read_iter+0x1bc/0x4b0 [ 143.713711] seq_read+0x8c/0xc4 [ 143.713876] vfs_read+0xc8/0x2a4 [ 143.714043] ksys_read+0x70/0xfc [ 143.714218] __arm64_sys_read+0x24/0x30 [ 143.714400] invoke_syscall+0x50/0x120 [ 143.714587] el0_svc_common.constprop.0+0x4c/0x100 [ 143.714807] do_el0_svc+0x44/0xd0 [ 143.714970] el0_svc+0x2c/0x84 [ 143.715134] el0t_64_sync_handler+0xbc/0x140 [ 143.715334] el0t_64_sync+0x190/0x194 [ 143.715742] Code: a9bd7bfd 910003fd a90153f3 aa0003f3 (f9400000) [ 143.716510] ---[ end trace 0000000000000000 ]--- Segmentation fault
AI Analysis
Technical Summary
CVE-2023-53093 is a vulnerability in the Linux kernel's tracing subsystem, specifically related to the handling of histogram values in kernel tracing events. The vulnerability arises because the histogram code was not designed to handle certain modifiers such as strings, stacktraces, graphs, symbols, syscalls, or grouping in buckets or logarithmic scales. When such unsupported modifiers are applied to histogram values, the kernel tracing subsystem fails to validate these inputs properly, leading to a NULL pointer dereference and a kernel oops (crash). This is demonstrated by the example where a crafted kprobe event with histogram modifiers causes the kernel to abort due to a level 0 translation fault, resulting in a segmentation fault and system instability. The root cause is that the histogram code does not check for invalid modifiers before processing, causing it to dereference a NULL pointer. This vulnerability affects Linux kernel versions including the one identified by the commit hash c6afad49d127f6d7c9957319f55173a2198b1ba8. Although no known exploits are reported in the wild, the vulnerability allows a local user with permissions to write to tracing events (typically root or privileged users) to cause a denial of service by crashing the kernel. The issue was reported by Mark Rutland and has been addressed by adding validation to reject unsupported modifiers for histogram values in tracing events, preventing the kernel crash.
Potential Impact
The primary impact of CVE-2023-53093 is a denial-of-service (DoS) condition caused by a kernel crash triggered through the Linux kernel tracing subsystem. For European organizations, this vulnerability could disrupt critical systems running Linux kernels with the affected tracing code, especially in environments relying on kernel tracing for performance monitoring or debugging. Systems that allow untrusted or less-trusted users to configure tracing events are at higher risk, as exploitation requires local access with permissions to modify tracing events. The crash could lead to system downtime, loss of availability, and potential disruption of services, which is critical for infrastructure providers, cloud services, and enterprises relying on Linux-based servers. While this vulnerability does not directly lead to privilege escalation or data leakage, the resulting instability could be leveraged as part of a broader attack chain or cause operational disruptions. Given the widespread use of Linux in European data centers, cloud environments, and embedded systems, the impact could be significant if exploited in sensitive or high-availability environments.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address this vulnerability as soon as they become available from trusted sources or Linux distribution vendors. 2. Restrict access to the tracing subsystem by limiting permissions to only trusted administrators and users; ensure that only authorized personnel can write to /sys/kernel/tracing/kprobe_events and related tracing interfaces. 3. Monitor kernel logs and tracing subsystem activity for unusual or unauthorized modifications to tracing events that could indicate exploitation attempts. 4. Disable or restrict kernel tracing features on production systems where tracing is not required, reducing the attack surface. 5. Implement strict access controls and auditing on systems that allow local user access, especially in multi-tenant or shared environments. 6. For embedded or specialized Linux systems, verify kernel versions and apply backported patches if necessary to mitigate the vulnerability. 7. Incorporate this vulnerability into vulnerability management and incident response plans to ensure rapid detection and remediation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2023-53093: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: tracing: Do not let histogram values have some modifiers Histogram values can not be strings, stacktraces, graphs, symbols, syscalls, or grouped in buckets or log. Give an error if a value is set to do so. Note, the histogram code was not prepared to handle these modifiers for histograms and caused a bug. Mark Rutland reported: # echo 'p:copy_to_user __arch_copy_to_user n=$arg2' >> /sys/kernel/tracing/kprobe_events # echo 'hist:keys=n:vals=hitcount.buckets=8:sort=hitcount' > /sys/kernel/tracing/events/kprobes/copy_to_user/trigger # cat /sys/kernel/tracing/events/kprobes/copy_to_user/hist [ 143.694628] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 143.695190] Mem abort info: [ 143.695362] ESR = 0x0000000096000004 [ 143.695604] EC = 0x25: DABT (current EL), IL = 32 bits [ 143.695889] SET = 0, FnV = 0 [ 143.696077] EA = 0, S1PTW = 0 [ 143.696302] FSC = 0x04: level 0 translation fault [ 143.702381] Data abort info: [ 143.702614] ISV = 0, ISS = 0x00000004 [ 143.702832] CM = 0, WnR = 0 [ 143.703087] user pgtable: 4k pages, 48-bit VAs, pgdp=00000000448f9000 [ 143.703407] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 [ 143.704137] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 143.704714] Modules linked in: [ 143.705273] CPU: 0 PID: 133 Comm: cat Not tainted 6.2.0-00003-g6fc512c10a7c #3 [ 143.706138] Hardware name: linux,dummy-virt (DT) [ 143.706723] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 143.707120] pc : hist_field_name.part.0+0x14/0x140 [ 143.707504] lr : hist_field_name.part.0+0x104/0x140 [ 143.707774] sp : ffff800008333a30 [ 143.707952] x29: ffff800008333a30 x28: 0000000000000001 x27: 0000000000400cc0 [ 143.708429] x26: ffffd7a653b20260 x25: 0000000000000000 x24: ffff10d303ee5800 [ 143.708776] x23: ffffd7a6539b27b0 x22: ffff10d303fb8c00 x21: 0000000000000001 [ 143.709127] x20: ffff10d303ec2000 x19: 0000000000000000 x18: 0000000000000000 [ 143.709478] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [ 143.709824] x14: 0000000000000000 x13: 203a6f666e692072 x12: 6567676972742023 [ 143.710179] x11: 0a230a6d6172676f x10: 000000000000002c x9 : ffffd7a6521e018c [ 143.710584] x8 : 000000000000002c x7 : 7f7f7f7f7f7f7f7f x6 : 000000000000002c [ 143.710915] x5 : ffff10d303b0103e x4 : ffffd7a653b20261 x3 : 000000000000003d [ 143.711239] x2 : 0000000000020001 x1 : 0000000000000001 x0 : 0000000000000000 [ 143.711746] Call trace: [ 143.712115] hist_field_name.part.0+0x14/0x140 [ 143.712642] hist_field_name.part.0+0x104/0x140 [ 143.712925] hist_field_print+0x28/0x140 [ 143.713125] event_hist_trigger_print+0x174/0x4d0 [ 143.713348] hist_show+0xf8/0x980 [ 143.713521] seq_read_iter+0x1bc/0x4b0 [ 143.713711] seq_read+0x8c/0xc4 [ 143.713876] vfs_read+0xc8/0x2a4 [ 143.714043] ksys_read+0x70/0xfc [ 143.714218] __arm64_sys_read+0x24/0x30 [ 143.714400] invoke_syscall+0x50/0x120 [ 143.714587] el0_svc_common.constprop.0+0x4c/0x100 [ 143.714807] do_el0_svc+0x44/0xd0 [ 143.714970] el0_svc+0x2c/0x84 [ 143.715134] el0t_64_sync_handler+0xbc/0x140 [ 143.715334] el0t_64_sync+0x190/0x194 [ 143.715742] Code: a9bd7bfd 910003fd a90153f3 aa0003f3 (f9400000) [ 143.716510] ---[ end trace 0000000000000000 ]--- Segmentation fault
AI-Powered Analysis
Technical Analysis
CVE-2023-53093 is a vulnerability in the Linux kernel's tracing subsystem, specifically related to the handling of histogram values in kernel tracing events. The vulnerability arises because the histogram code was not designed to handle certain modifiers such as strings, stacktraces, graphs, symbols, syscalls, or grouping in buckets or logarithmic scales. When such unsupported modifiers are applied to histogram values, the kernel tracing subsystem fails to validate these inputs properly, leading to a NULL pointer dereference and a kernel oops (crash). This is demonstrated by the example where a crafted kprobe event with histogram modifiers causes the kernel to abort due to a level 0 translation fault, resulting in a segmentation fault and system instability. The root cause is that the histogram code does not check for invalid modifiers before processing, causing it to dereference a NULL pointer. This vulnerability affects Linux kernel versions including the one identified by the commit hash c6afad49d127f6d7c9957319f55173a2198b1ba8. Although no known exploits are reported in the wild, the vulnerability allows a local user with permissions to write to tracing events (typically root or privileged users) to cause a denial of service by crashing the kernel. The issue was reported by Mark Rutland and has been addressed by adding validation to reject unsupported modifiers for histogram values in tracing events, preventing the kernel crash.
Potential Impact
The primary impact of CVE-2023-53093 is a denial-of-service (DoS) condition caused by a kernel crash triggered through the Linux kernel tracing subsystem. For European organizations, this vulnerability could disrupt critical systems running Linux kernels with the affected tracing code, especially in environments relying on kernel tracing for performance monitoring or debugging. Systems that allow untrusted or less-trusted users to configure tracing events are at higher risk, as exploitation requires local access with permissions to modify tracing events. The crash could lead to system downtime, loss of availability, and potential disruption of services, which is critical for infrastructure providers, cloud services, and enterprises relying on Linux-based servers. While this vulnerability does not directly lead to privilege escalation or data leakage, the resulting instability could be leveraged as part of a broader attack chain or cause operational disruptions. Given the widespread use of Linux in European data centers, cloud environments, and embedded systems, the impact could be significant if exploited in sensitive or high-availability environments.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address this vulnerability as soon as they become available from trusted sources or Linux distribution vendors. 2. Restrict access to the tracing subsystem by limiting permissions to only trusted administrators and users; ensure that only authorized personnel can write to /sys/kernel/tracing/kprobe_events and related tracing interfaces. 3. Monitor kernel logs and tracing subsystem activity for unusual or unauthorized modifications to tracing events that could indicate exploitation attempts. 4. Disable or restrict kernel tracing features on production systems where tracing is not required, reducing the attack surface. 5. Implement strict access controls and auditing on systems that allow local user access, especially in multi-tenant or shared environments. 6. For embedded or specialized Linux systems, verify kernel versions and apply backported patches if necessary to mitigate the vulnerability. 7. Incorporate this vulnerability into vulnerability management and incident response plans to ensure rapid detection and remediation.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-05-02T15:51:43.552Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9830c4522896dcbe6f74
Added to database: 5/21/2025, 9:09:04 AM
Last enriched: 7/1/2025, 4:12:33 AM
Last updated: 8/1/2025, 1:14:14 AM
Views: 11
Related Threats
CVE-2025-8975: Cross Site Scripting in givanz Vvveb
MediumCVE-2025-55716: CWE-862 Missing Authorization in VeronaLabs WP Statistics
MediumCVE-2025-55714: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Crocoblock JetElements For Elementor
MediumCVE-2025-55713: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in CreativeThemes Blocksy
MediumCVE-2025-55712: CWE-862 Missing Authorization in POSIMYTH The Plus Addons for Elementor Page Builder Lite
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.