CVE-2023-52735 Overview
A critical vulnerability has been identified in the Linux kernel's BPF sockmap implementation that allows recursive protocol callback functions to call themselves, leading to a stack overflow condition. The vulnerability exists in the sock_map_close, sock_map_destroy, and sock_map_unhash functions which can enter an infinite recursive loop when improperly invoked.
Critical Impact
This vulnerability can be exploited remotely without authentication, potentially leading to system crashes, denial of service, and high confidentiality impact through memory disclosure. The recursive call pattern can exhaust kernel stack space and cause kernel panics.
Affected Products
- Linux Kernel versions prior to 5.15.91
- Linux Kernel versions 5.16 to 6.1.9
- Linux Kernel version 6.2 release candidates (rc1 through rc6)
Discovery Timeline
- 2024-05-21 - CVE CVE-2023-52735 published to NVD
- 2025-04-02 - Last updated in NVD database
Technical Details for CVE-2023-52735
Vulnerability Analysis
The vulnerability resides in the Linux kernel's BPF (Berkeley Packet Filter) sockmap subsystem, which provides socket-level operations for eBPF programs. The affected functions—sock_map_close, sock_map_destroy, and sock_map_unhash—are protocol callbacks that should never invoke themselves recursively by design. However, a flaw in the callback chain allows these functions to call themselves under certain conditions, creating an unbounded recursive loop.
When triggered, the recursive calls rapidly consume kernel stack space. Since the kernel stack is limited (typically 8KB or 16KB depending on architecture), the unbounded recursion quickly leads to a stack overflow. This results in a kernel panic or system crash, causing denial of service. Additionally, the memory corruption from stack overflow can potentially expose sensitive kernel memory contents, resulting in high confidentiality impact.
Root Cause
The root cause is a design oversight in the sockmap protocol callback implementation that fails to detect and prevent self-referential callback invocations. The proto callbacks were designed under the assumption they would never form recursive call chains, but certain code paths can trigger conditions where sock_map_{close,destroy,unhash} functions invoke themselves. Without explicit recursion guards, these functions enter an infinite loop that overflows the kernel stack.
Attack Vector
The vulnerability can be exploited remotely over the network without requiring authentication or user interaction. An attacker can trigger the recursive callback behavior by sending specially crafted network packets or establishing connections that manipulate the sockmap state in a way that causes the proto callbacks to recurse. The low attack complexity and network accessibility make this vulnerability particularly dangerous for systems running affected kernel versions with BPF sockmap enabled.
The attack does not require any privileges or special access, making it exploitable by any remote attacker who can reach the target system's network services. Successful exploitation results in immediate denial of service through kernel panic, with potential for memory information disclosure during the stack overflow event.
Detection Methods for CVE-2023-52735
Indicators of Compromise
- Unexpected kernel panics or system crashes with stack traces referencing sock_map_close, sock_map_destroy, or sock_map_unhash
- Kernel log messages indicating stack overflow or recursive function call depth exceeded
- Systems becoming unresponsive during network activity involving BPF sockmap operations
- Core dumps showing deep recursion in sockmap-related kernel functions
Detection Strategies
- Monitor system logs for kernel oops or panic messages containing references to BPF sockmap functions
- Implement kernel crash dump analysis to identify stack overflow patterns in sockmap callbacks
- Deploy eBPF-based kernel tracing to detect abnormal call depth in sock_map_* functions
- Use kernel debugging tools to track sockmap proto callback invocations and flag recursive patterns
Monitoring Recommendations
- Configure kernel panic logging and crash dump collection to capture stack traces for post-incident analysis
- Enable system audit logging for BPF program loading and sockmap operations
- Implement real-time monitoring of kernel stack usage metrics where supported
- Set up alerts for unexpected system reboots or kernel crashes on network-facing servers
How to Mitigate CVE-2023-52735
Immediate Actions Required
- Update affected Linux kernel installations to patched versions immediately
- If immediate patching is not possible, consider disabling BPF sockmap functionality if not required
- Monitor systems for signs of exploitation attempts including unexpected crashes
- Review network exposure and implement additional network-level controls for critical systems
Patch Information
The Linux kernel maintainers have released patches to address this vulnerability. The fix introduces recursion detection logic that breaks out of the recursive loop when self-referential callback invocations are detected, preventing stack overflow while accepting a controlled resource leak as a safer alternative to a crash.
Patched kernel commits are available:
Update to kernel version 5.15.91 or later for the 5.15 LTS branch, or 6.1.9 or later for the 6.1 LTS branch. The fix is also included in kernel 6.2-rc7 and subsequent releases.
Workarounds
- Disable BPF sockmap functionality by restricting unprivileged BPF access using sysctl kernel.unprivileged_bpf_disabled=1
- Unload any BPF programs utilizing sockmap features if they are not critical to operations
- Implement network segmentation to reduce exposure of vulnerable systems to untrusted networks
- Consider using container or VM isolation to limit impact of potential kernel crashes
# Restrict unprivileged BPF access to mitigate exposure
sysctl -w kernel.unprivileged_bpf_disabled=1
# Make the setting persistent across reboots
echo "kernel.unprivileged_bpf_disabled=1" >> /etc/sysctl.conf
# Verify the setting is applied
sysctl kernel.unprivileged_bpf_disabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
